- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2485-1                [email protected]
https://www.debian.org/lts/security/                            Brian May
December 09, 2020                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : golang-golang-x-net-dev
Version        : 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1
CVE ID         : CVE-2019-9512 CVE-2019-9514

The http2 server support in this package was vulnerable to
certain types of DOS attacks.


    This code was vulnerable to ping floods, potentially leading to a denial of
    service. The attacker sends continual pings to an HTTP/2 peer, causing the peer
    to build an internal queue of responses. Depending on how efficiently this data
    is queued, this can consume excess CPU, memory, or both.


    This code was vulnerable to a reset flood, potentially leading to a denial
    of service. The attacker opens a number of streams and sends an invalid request
    over each stream that should solicit a stream of RST_STREAM frames from the
    peer. Depending on how the peer queues the RST_STREAM frames, this can consume
    excess memory, CPU, or both.

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your golang-golang-x-net-dev packages.

For the detailed security status of golang-golang-x-net-dev please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS