[SECURITY] [DLA 1920-1] golang-go.crypto security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1920-1] golang-go.crypto security update
From: Brian May <bam@debian.org>
Date: Fri, 13 Sep 2019 16:19:49 +1000
Message-id: <[🔎] 20190913061948.GA19727@silverfish.pri>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : golang-go.crypto
Version        : 0.0~hg190-1+deb8u2
CVE ID         : CVE-2019-11841

This package ignored the value of the Hash header, which allows an
attacker to spoof it. An attacker can not only embed arbitrary Armor
Headers, but also prepend arbitrary text to cleartext messages
without invalidating the signatures.

For Debian 8 "Jessie", this problem has been fixed in version
0.0~hg190-1+deb8u2.

We recommend that you upgrade your golang-go.crypto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl17MLcACgkQKpJZkldk
Svq2QQ/9HV2ZvQawcPk3yoCeJjMnVA4uOlVXKreI84godR7TEPHu/lFMzXxmv7r6
IFNADChJ5SrGIy9/qZOMqg7x4po1/2rJGnzY5L6Sh4BSsu8LzoLC5MO3XTo5NUG5
Lrr0cGdjYCwHkRRq0tSHzJFOME51YHFsosl+2TXKe1BOoJ/YkBv763hgmIrSO5Zl
wCH3aoujtshRBaUZEdCltnw+l2E2ykJJB48in9gtHOMh7r7388Jm9b5xMF9dorjc
pyIs8o1iIbs28igsZXVC8I+kKmr5vJ5iTZ79h8DDUYhLlUCTkuLxC3cb3tRZcxi0
Dy9wfpNK5WCK5dWCWG2QE6BVJGp81+1xiqMqxcbYjhsWPHAZtR2H7hNfvoptq4F7
Pdk3jB4cHUA/sKcAgUTfuXA3rwk0cfnCGpx5Yg8LdlL/wupSsya2Hvo7OgAPJY+a
JKwIxYuwsRiBzKLk1J5ATS3FdFGlgxhD658wKTiAYwZ1za77Re0CddQe4wuR68Tx
QuVXB/8VE7WUM34P7T2jVTMRFpZ8+5ZYrQQmADPLljwUoptxNjM8hYppkYYSssJF
jDHV/34Gs3jvQUiSft46lQK5h5oPxZXgVXwIsaKyMQ9gMXEg95J5AIyipma2MgFm
eqXptJYnP2Y6Zzpbb6Q3XGSssdblgiAD80z19Y4N9h8LcQ3A6Cw=
=AhI4
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1918-1] libonig security update
Next by Date: [SECURITY] [DLA 1917-1] curl security update
Previous by thread: [SECURITY] [DLA 1918-1] libonig security update
Next by thread: [SECURITY] [DLA 1917-1] curl security update
Index(es):
- Date
- Thread