7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.821 High
EPSS
Percentile
98.3%
Debian LTS Advisory DLA-2485-1 [email protected]
https://www.debian.org/lts/security/ Brian May
December 09, 2020 https://wiki.debian.org/LTS
Package : golang-golang-x-net-dev
Version : 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1
CVE ID : CVE-2019-9512 CVE-2019-9514
The http2 server support in this package was vulnerable to
certain types of DOS attacks.
CVE-2019-9512
This code was vulnerable to ping floods, potentially leading to a denial of
service. The attacker sends continual pings to an HTTP/2 peer, causing the peer
to build an internal queue of responses. Depending on how efficiently this data
is queued, this can consume excess CPU, memory, or both.
CVE-2019-9514
This code was vulnerable to a reset flood, potentially leading to a denial
of service. The attacker opens a number of streams and sends an invalid request
over each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can consume
excess memory, CPU, or both.
For Debian 9 stretch, these problems have been fixed in version
1:0.0+git20161013.8b4af36+dfsg-3+deb9u1.
We recommend that you upgrade your golang-golang-x-net-dev packages.
For the detailed security status of golang-golang-x-net-dev please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-golang-x-net-dev
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 10 | mipsel | libh2o0.13 | < 2.2.5+dfsg2-2+deb10u1 | libh2o0.13_2.2.5+dfsg2-2+deb10u1_mipsel.deb |
Debian | 10 | s390x | libnode64 | < 10.19.0~dfsg1-1 | libnode64_10.19.0~dfsg1-1_s390x.deb |
Debian | 10 | i386 | h2o | < 2.2.5+dfsg2-2+deb10u1 | h2o_2.2.5+dfsg2-2+deb10u1_i386.deb |
Debian | 10 | ppc64el | trafficserver | < 8.0.2+ds-1+deb10u1 | trafficserver_8.0.2+ds-1+deb10u1_ppc64el.deb |
Debian | 10 | all | libh2o-dev-common | < 2.2.5+dfsg2-2+deb10u1 | libh2o-dev-common_2.2.5+dfsg2-2+deb10u1_all.deb |
Debian | 10 | all | nodejs | < 10.19.0~dfsg1-1 | nodejs_10.19.0~dfsg1-1_all.deb |
Debian | 10 | mipsel | libh2o-evloop-dev | < 2.2.5+dfsg2-2+deb10u1 | libh2o-evloop-dev_2.2.5+dfsg2-2+deb10u1_mipsel.deb |
Debian | 10 | mipsel | libnode-dev | < 10.19.0~dfsg1-1 | libnode-dev_10.19.0~dfsg1-1_mipsel.deb |
Debian | 10 | armhf | golang-1.11-src | < 1.11.6-1+deb10u1 | golang-1.11-src_1.11.6-1+deb10u1_armhf.deb |
Debian | 10 | s390x | libh2o-evloop0.13 | < 2.2.5+dfsg2-2+deb10u1 | libh2o-evloop0.13_2.2.5+dfsg2-2+deb10u1_s390x.deb |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.821 High
EPSS
Percentile
98.3%