[ASA-201908-15] go: multiple issues

2019-08-24T00:00:00
ID ASA-201908-15
Type archlinux
Reporter ArchLinux
Modified 2019-08-24T00:00:00

Description

Arch Linux Security Advisory ASA-201908-15

Severity: Medium Date : 2019-08-24 CVE-ID : CVE-2019-9512 CVE-2019-9514 CVE-2019-14809 Package : go Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1021

Summary

The package go before version 2:1.12.8-1 is vulnerable to multiple issues including denial of service and insufficient validation.

Resolution

Upgrade to 2:1.12.8-1.

pacman -Syu "go>=2:1.12.8-1"

The problems have been fixed upstream in version 1.12.8.

Workaround

None.

Description

  • CVE-2019-9512 (denial of service)

An issue has been found in several HTTP/2 implementations, where the attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

  • CVE-2019-9514 (denial of service)

An issue has been found in several HTTP/2 implementations, where the attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

  • CVE-2019-14809 (insufficient validation)

An issue has been found in Go before 1.12.8, where url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

Impact

A remote attacker is able to cause a denial of service by sending a specially crafted packet or bypass authorization due to insufficient validation.

References

https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://golang.org/issue/29098 https://security.archlinux.org/CVE-2019-9512 https://security.archlinux.org/CVE-2019-9514 https://security.archlinux.org/CVE-2019-14809