Arch Linux Security Advisory ASA-201908-15
=========================================
Severity: Medium
Date    : 2019-08-24
CVE-ID  : CVE-2019-9512 CVE-2019-9514 CVE-2019-14809
Package : go
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1021

Summary
======
The package go before version 2:1.12.8-1 is vulnerable to multiple
issues including denial of service and insufficient validation.

Resolution
=========
Upgrade to 2:1.12.8-1.

# pacman -Syu "go>=2:1.12.8-1"

The problems have been fixed upstream in version 1.12.8.

Workaround
=========
None.

Description
==========
- CVE-2019-9512 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker sends continual pings to an HTTP/2 peer, causing the peer to
build an internal queue of responses. Depending on how efficiently this
data is queued, this can consume excess CPU, memory, or both,
potentially leading to a denial of service.

- CVE-2019-9514 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker opens a number of streams and sends an invalid request over
each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can
consume excess memory, CPU, or both, potentially leading to a denial of
service.

- CVE-2019-14809 (insufficient validation)

An issue has been found in Go before 1.12.8, where url.Parse would
accept URLs with malformed hosts, such that the Host field could have
arbitrary suffixes that would appear in neither Hostname() nor Port(),
allowing authorization bypasses in certain applications. Note that URLs
with invalid, not numeric ports will now return an error from
url.Parse.

Impact
=====
A remote attacker is able to cause a denial of service by sending a
specially crafted packet or bypass authorization due to insufficient
validation.

References
=========
https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://github.com/golang/go/issues/29098
https://security.archlinux.org/CVE-2019-9512
https://security.archlinux.org/CVE-2019-9514
https://security.archlinux.org/CVE-2019-14809

ArchLinux: 201908-15: go: multiple issues

August 29, 2019

Summary

- CVE-2019-9512 (denial of service) An issue has been found in several HTTP/2 implementations, where the attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
- CVE-2019-9514 (denial of service)
An issue has been found in several HTTP/2 implementations, where the attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
- CVE-2019-14809 (insufficient validation)
An issue has been found in Go before 1.12.8, where url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

Resolution

Upgrade to 2:1.12.8-1. # pacman -Syu "go>=2:1.12.8-1"
The problems have been fixed upstream in version 1.12.8.

References

https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://github.com/golang/go/issues/29098 https://security.archlinux.org/CVE-2019-9512 https://security.archlinux.org/CVE-2019-9514 https://security.archlinux.org/CVE-2019-14809

Severity
Package : go
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1021

Workaround

None.

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved