[SECURITY] [DLA 1920-1] golang-go.crypto security update

2019-09-1306:19:49

lists.debian.org

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

77.3%

JSON

Package : golang-go.crypto
Version : 0.0~hg190-1+deb8u2
CVE ID : CVE-2019-11841

This package ignored the value of the Hash header, which allows an
attacker to spoof it. An attacker can not only embed arbitrary Armor
Headers, but also prepend arbitrary text to cleartext messages
without invalidating the signatures.

For Debian 8 "Jessie", this problem has been fixed in version
0.0~hg190-1+deb8u2.

We recommend that you upgrade your golang-go.crypto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10allgolang-go.crypto< 1:0.0~git20181203.505ab14-1+deb10u1golang-go.crypto_1:0.0~git20181203.505ab14-1+deb10u1_all.deb
Debian9allgolang-golang-x-crypto-dev< 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1golang-golang-x-crypto-dev_1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1_all.deb
Debian9allgolang-go.crypto< 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1golang-go.crypto_1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1_all.deb
Debian10allgolang-golang-x-crypto-dev< 1:0.0~git20181203.505ab14-1+deb10u1golang-golang-x-crypto-dev_1:0.0~git20181203.505ab14-1+deb10u1_all.deb
Debian8allgolang-go.crypto< 0.0~hg190-1+deb8u2golang-go.crypto_0.0~hg190-1+deb8u2_all.deb
Debian8allgolang-go.crypto-dev< 0.0~hg190-1+deb8u2golang-go.crypto-dev_0.0~hg190-1+deb8u2_all.deb
Debian9allgolang-go.crypto-dev< 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1golang-go.crypto-dev_1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	golang-go.crypto	< 1:0.0~git20181203.505ab14-1+deb10u1	golang-go.crypto_1:0.0~git20181203.505ab14-1+deb10u1_all.deb
Debian	9	all	golang-golang-x-crypto-dev	< 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1	golang-golang-x-crypto-dev_1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1_all.deb
Debian	9	all	golang-go.crypto	< 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1	golang-go.crypto_1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1_all.deb
Debian	10	all	golang-golang-x-crypto-dev	< 1:0.0~git20181203.505ab14-1+deb10u1	golang-golang-x-crypto-dev_1:0.0~git20181203.505ab14-1+deb10u1_all.deb
Debian	8	all	golang-go.crypto	< 0.0~hg190-1+deb8u2	golang-go.crypto_0.0~hg190-1+deb8u2_all.deb
Debian	8	all	golang-go.crypto-dev	< 0.0~hg190-1+deb8u2	golang-go.crypto-dev_0.0~hg190-1+deb8u2_all.deb
Debian	9	all	golang-go.crypto-dev	< 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1	golang-go.crypto-dev_1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1_all.deb