Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2019:2000-1

Опубликовано: 24 авг. 2019
Источник: suse-cvrf

Описание

Security update for go1.12

This update for go1.12 fixes the following issues:

Security issues fixed:

  • CVE-2019-9512: Fixed HTTP/2 flood using PING frames that results in unbounded memory growth. (bsc#1146111)
  • CVE-2019-9514: Fixed HTTP/2 implementation is vulnerable to a reset flood, potentially leading to a denial of service. (bsc#1146115)
  • CVE-2019-14809: Fixed authorization bypass due to malformed hosts in URLs. (bsc#1146123)

Список пакетов

openSUSE Leap 15.1
go1.12-1.12.9-lp151.2.9.1
go1.12-doc-1.12.9-lp151.2.9.1
go1.12-race-1.12.9-lp151.2.9.1

Ссылки

Описание

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

Затронутые продукты
openSUSE Leap 15.1:go1.12-1.12.9-lp151.2.9.1
openSUSE Leap 15.1:go1.12-doc-1.12.9-lp151.2.9.1
openSUSE Leap 15.1:go1.12-race-1.12.9-lp151.2.9.1
Ссылки

Описание

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Затронутые продукты
openSUSE Leap 15.1:go1.12-1.12.9-lp151.2.9.1
openSUSE Leap 15.1:go1.12-doc-1.12.9-lp151.2.9.1
openSUSE Leap 15.1:go1.12-race-1.12.9-lp151.2.9.1
Ссылки

Описание

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Затронутые продукты
openSUSE Leap 15.1:go1.12-1.12.9-lp151.2.9.1
openSUSE Leap 15.1:go1.12-doc-1.12.9-lp151.2.9.1
openSUSE Leap 15.1:go1.12-race-1.12.9-lp151.2.9.1
Ссылки