Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 692152 (CVE-2019-14809) - <dev-lang/go-{1.11.13,1.12.8}: multiple vulnerabilities
Summary: <dev-lang/go-{1.11.13,1.12.8}: multiple vulnerabilities
Alias: CVE-2019-14809
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Blocks: CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517
  Show dependency tree
Reported: 2019-08-14 15:50 UTC by Aaron Bauman (RETIRED)
Modified: 2020-04-26 00:12 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/go-1.11.13 dev-lang/go-1.12.8
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Bauman (RETIRED) gentoo-dev 2019-08-14 15:50:49 UTC
Hi gophers,

We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

    net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

    net/http and servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.
    The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue
    Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.

    This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of

    net/url: parsing validation issue

    url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.
    The issue is CVE-2019-14809 and Go issue
    Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen ( for discovering and reporting this issue.

Downloads are available at for all supported platforms.

Thank you,
Dmitri on behalf of the Go team
Comment 1 Larry the Git Cow gentoo-dev 2019-08-14 17:08:27 UTC
The bug has been referenced in the following commit(s):

commit deb937ea1e309ff0f7473e5346f265a1855df3d8
Author:     William Hubbs <>
AuthorDate: 2019-08-14 17:06:07 +0000
Commit:     William Hubbs <>
CommitDate: 2019-08-14 17:07:58 +0000

    dev-lang/go: 1.11.13 and 1.12.8 security bump
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    RepoMan-Options: --force
    Signed-off-by: William Hubbs <>

 dev-lang/go/Manifest          |   2 +
 dev-lang/go/go-1.11.13.ebuild | 246 ++++++++++++++++++++++++++++++++++++++++++
 dev-lang/go/go-1.12.8.ebuild  | 246 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 494 insertions(+)
Comment 2 William Hubbs gentoo-dev 2019-08-14 17:12:53 UTC
Arm and x86, please stabilize dev-lang/go-1.11.13 and dev-lang/go-1.12.8.


Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-08-16 22:39:17 UTC
x86 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-09-01 18:28:53 UTC
arm stable
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-09-02 22:27:16 UTC
@maintainer, please drop vulnerable.
Comment 6 Larry the Git Cow gentoo-dev 2019-09-06 13:51:27 UTC
The bug has been referenced in the following commit(s):

commit 2ad9515a15cbab9ce0b71f045ef4c47195589ed7
Author:     William Hubbs <>
AuthorDate: 2019-09-06 13:24:39 +0000
Commit:     William Hubbs <>
CommitDate: 2019-09-06 13:25:23 +0000

    dev-lang/go: remove old 1.12 versions
    All 1.11 versions are removed since that version is no longer supported
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: William Hubbs <>

 dev-lang/go/Manifest         |   3 -
 dev-lang/go/go-1.12.5.ebuild | 246 -------------------------------------------
 dev-lang/go/go-1.12.6.ebuild | 246 -------------------------------------------
 dev-lang/go/go-1.12.7.ebuild | 246 -------------------------------------------
 4 files changed, 741 deletions(-)