Malware Devil

Loading...

Wednesday, December 9, 2020

ESB-2020.4324 – [Debian] golang-golang-x-net-dev: Denial of service – Remote/unauthenticated 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.4324
                  golang-golang-x-net-dev security update
                              9 December 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           golang-golang-x-net-dev
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9514 CVE-2019-9512 

Reference:         ESB-2020.0419

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2485-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                            Brian May
December 09, 2020                             https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : golang-golang-x-net-dev
Version        : 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1
CVE ID         : CVE-2019-9512 CVE-2019-9514

The http2 server support in this package was vulnerable to
certain types of DOS attacks.

CVE-2019-9512

    This code was vulnerable to ping floods, potentially leading to a denial of
    service. The attacker sends continual pings to an HTTP/2 peer, causing the peer
    to build an internal queue of responses. Depending on how efficiently this data
    is queued, this can consume excess CPU, memory, or both.

CVE-2019-9514

    This code was vulnerable to a reset flood, potentially leading to a denial
    of service. The attacker opens a number of streams and sends an invalid request
    over each stream that should solicit a stream of RST_STREAM frames from the
    peer. Depending on how the peer queues the RST_STREAM frames, this can consume
    excess memory, CPU, or both.

For Debian 9 stretch, these problems have been fixed in version
1:0.0+git20161013.8b4af36+dfsg-3+deb9u1.

We recommend that you upgrade your golang-golang-x-net-dev packages.

For the detailed security status of golang-golang-x-net-dev please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-golang-x-net-dev

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl/P+dIACgkQKpJZkldk
Svo42A//XLrZMFKa9pv2kQh+QphGCIVATSxuzlWNzQwjYk9UztXxXbMqbmdvx0Ha
+AFFn1X3ZQYboyUmdLWESq4XTgiK+8/EUBqbm39ltG2rZAeAjn74KF7fJ2YPO0Of
/sHg6iPmwC8JZ/FXgCnsc2YcXp28qHRYcy3CCEaVnzhtmm7Yi68a+Jy2UlAEjBgT
gfdLvVQLkbPU7Z4EE1ZtiOQnvQRO0d6+v668cbX+ZP0L709DstVBAKYGQkyJyQJx
8YbwvxnLXN/s1uU5R3vQTOP1z0pEl9L9M40+7zVAYKHPJ709ubIWPdTKYBYsHwQo
0ir4nE0OgeDadxJaReyhcT+446bqB+U5x1p7hQcDxFc/PSS2lsK26qlP0JP5pgM6
S6QCpob1vRduyWWDHTcqwbnmTWJO75m3sEnrrX214LXSmfukBKYPCLgpR/o5P/UQ
4EdJfuULEDvc1jSM0uKOup4zvANnEGKK9IIRrSbplw2RO9gaThus5uRV6Bm0TBm+
NaAnKXeyJ8iUghXYUCVN5VPpW8Vyrzdn1vCFwR3l9EEiKiwXh1jSlhBS9EJAwiKl
g22y4JzXD4Zsmr3+ew+v5IyyBs4Z6OnPOL+wAmYJMj+ZGq98V1g/smb1WZDbzoB/
UJDMWV7Nvl6HhhNMIt8hh27yyNqHcFpM2fWrAv5LOU3ieYhztDc=
=7Bfr
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX9BLy+NLKJtyKPYoAQi3sQ/8DJY2U2YUHHSJZ4iil0IzWxtWAA90Wsny
eF7YBBo0TjSADEycs0lSfQGCoFR0471ng/hO3PN3xQt2A7jiqCfpPq8R6FNKgOXS
eEEj5bjKozNCtmhSCUHxfdz0wYzkzikaW+duyCcefcpt67unLMbPs33ykK1fRUVh
5QHIOQVZUi19hN96Rn+1C037eRq7Slr4BfXIrae01ByOZnMBOU+O9NqyB59aYAp6
0YqiH93dqKZebZudY5T4+753z7rsr/vct9ksrSPicFTTNUasXzGuFj4G17Tr+Ehh
hTlA/qyiGpM+VluYmjwlwqs0jzHJXqRBDxrQv2OhqSQUXgwMCSdBUwYd3VrR+oRE
H9RnYrKjoqqd7pnNv6cJtYTfH7B+vH2cYs5MaD7FlwR22SUP1T8RO66enD2mNeai
1Al2t74NOXwEcrFWKYmwldpSm+u32XDyRfQrK+3nG6Il34R8jkRbhDVB6D40ruu+
hB36/UpE0TeIXcGRIhI77R2lH6/a/SQs4zAAQhm0xnDrIH1tFewJVyVvEr7a9NQC
+bzBMTWUZV8TSrnlnjyR8yh+9xoEbLx5g4QcP1/6ZOp6mXgXt99vQ9/Co8T071ad
x4n4ZPC0pVGO/pbAHV9CUdfkgElGIKJoEp5CPvvJJSsgrwEe/yTLcMhPfwGKzRv5
IRqDHTNt/iQ=
=Wp8n
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.4324 – [Debian] golang-golang-x-net-dev: Denial of service – Remote/unauthenticated appeared first on Malware Devil.



https://malwaredevil.com/2020/12/09/esb-2020-4324-debian-golang-golang-x-net-dev-denial-of-service-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-4324-debian-golang-golang-x-net-dev-denial-of-service-remote-unauthenticated
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...