Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1840-1 golang-go.crypto

Debian Security Advisory

DLA-1840-1 golang-go.crypto -- LTS security update

Date Reported:

30 Jun 2019

Affected Packages:

golang-go.crypto

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2019-11840.

More information:

A flaw was found in the amd64 implementation of salsa20. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream.

For Debian 8 Jessie, this problem has been fixed in version 0.0~hg190-1+deb8u1.

obfs4proxy has been rebuilt as version 0.0.3-2+deb8u1.

We recommend that you upgrade your golang-golang-x-crypto-dev and obfs4proxy packages, and rebuild any software using golang-golang-x-crypto-dev.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS