Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692152 (CVE-2019-14809)

Summary: <dev-lang/go-{1.11.13,1.12.8}: multiple vulnerabilities
Product: Gentoo Security Reporter: Aaron Bauman (RETIRED) <bman>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: williamh
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ
Whiteboard: B3 [noglsa cve]
Package list:
dev-lang/go-1.11.13 dev-lang/go-1.12.8
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 719460    

Description Aaron Bauman (RETIRED) gentoo-dev 2019-08-14 15:50:49 UTC
Hi gophers,

We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

    net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

    net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.
    The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
    Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.

    This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.

    net/url: parsing validation issue

    url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.
    The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
    Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering and reporting this issue.

Downloads are available at https://golang.org/dl for all supported platforms.

Thank you,
Dmitri on behalf of the Go team
Comment 1 Larry the Git Cow gentoo-dev 2019-08-14 17:08:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=deb937ea1e309ff0f7473e5346f265a1855df3d8

commit deb937ea1e309ff0f7473e5346f265a1855df3d8
Author:     William Hubbs <william.hubbs@sony.com>
AuthorDate: 2019-08-14 17:06:07 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2019-08-14 17:07:58 +0000

    dev-lang/go: 1.11.13 and 1.12.8 security bump
    
    Bug: https://bugs.gentoo.org/692152
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    RepoMan-Options: --force
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 +
 dev-lang/go/go-1.11.13.ebuild | 246 ++++++++++++++++++++++++++++++++++++++++++
 dev-lang/go/go-1.12.8.ebuild  | 246 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 494 insertions(+)
Comment 2 William Hubbs gentoo-dev 2019-08-14 17:12:53 UTC
Arm and x86, please stabilize dev-lang/go-1.11.13 and dev-lang/go-1.12.8.

Thanks,

William
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-08-16 22:39:17 UTC
x86 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-09-01 18:28:53 UTC
arm stable
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-09-02 22:27:16 UTC
@maintainer, please drop vulnerable.
Comment 6 Larry the Git Cow gentoo-dev 2019-09-06 13:51:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ad9515a15cbab9ce0b71f045ef4c47195589ed7

commit 2ad9515a15cbab9ce0b71f045ef4c47195589ed7
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2019-09-06 13:24:39 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2019-09-06 13:25:23 +0000

    dev-lang/go: remove old 1.12 versions
    
    All 1.11 versions are removed since that version is no longer supported
    upstream.
    
    Bug: https://bugs.gentoo.org/692152
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   3 -
 dev-lang/go/go-1.12.5.ebuild | 246 -------------------------------------------
 dev-lang/go/go-1.12.6.ebuild | 246 -------------------------------------------
 dev-lang/go/go-1.12.7.ebuild | 246 -------------------------------------------
 4 files changed, 741 deletions(-)