Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2019:2056-1

Опубликовано: 02 сент. 2019
Источник: suse-cvrf

Описание

Security update for go1.12

This update for go1.12 fixes the following issues:

Security issues fixed:

  • CVE-2019-9512: Fixed HTTP/2 flood using PING frames that results in unbounded memory growth (bsc#1146111).
  • CVE-2019-9514: Fixed HTTP/2 implementation that is vulnerable to a reset flood, potentially leading to a denial of service (bsc#1146115).
  • CVE-2019-14809: Fixed malformed hosts in URLs that leads to authorization bypass (bsc#1146123).

Bugfixes:

  • Update to go version 1.12.9 (bsc#1141689).
  • Adding Web Assembly stuff from misc/wasm (bsc#1139210).

This update was imported from the SUSE:SLE-15:Update update project.

Список пакетов

openSUSE Leap 15.0
go1.12-1.12.9-lp151.2.13.1
go1.12-doc-1.12.9-lp151.2.13.1
go1.12-race-1.12.9-lp151.2.13.1
openSUSE Leap 15.1
go1.12-1.12.9-lp151.2.13.1
go1.12-doc-1.12.9-lp151.2.13.1
go1.12-race-1.12.9-lp151.2.13.1

Ссылки

Описание

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.

Затронутые продукты
openSUSE Leap 15.0:go1.12-1.12.9-lp151.2.13.1
openSUSE Leap 15.0:go1.12-doc-1.12.9-lp151.2.13.1
openSUSE Leap 15.0:go1.12-race-1.12.9-lp151.2.13.1
openSUSE Leap 15.1:go1.12-1.12.9-lp151.2.13.1
Ссылки

Описание

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Затронутые продукты
openSUSE Leap 15.0:go1.12-1.12.9-lp151.2.13.1
openSUSE Leap 15.0:go1.12-doc-1.12.9-lp151.2.13.1
openSUSE Leap 15.0:go1.12-race-1.12.9-lp151.2.13.1
openSUSE Leap 15.1:go1.12-1.12.9-lp151.2.13.1
Ссылки

Описание

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Затронутые продукты
openSUSE Leap 15.0:go1.12-1.12.9-lp151.2.13.1
openSUSE Leap 15.0:go1.12-doc-1.12.9-lp151.2.13.1
openSUSE Leap 15.0:go1.12-race-1.12.9-lp151.2.13.1
openSUSE Leap 15.1:go1.12-1.12.9-lp151.2.13.1
Ссылки