Debian Long Term Support / LTS Security Information / 2020 / Security Information -- DLA-2485-1 golang-golang-x-net-dev

Debian Security Advisory

DLA-2485-1 golang-golang-x-net-dev -- LTS security update

Date Reported:

09 Dec 2020

Affected Packages:

golang-golang-x-net-dev

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2019-9512, CVE-2019-9514.

More information:

The http2 server support in this package was vulnerable to certain types of DOS attacks.

• CVE-2019-9512

  This code was vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

• CVE-2019-9514

  This code was vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

For Debian 9 stretch, these problems have been fixed in version 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1.

We recommend that you upgrade your golang-golang-x-net-dev packages.

For the detailed security status of golang-golang-x-net-dev please refer to its security tracker page at: https://security-tracker.debian.org/tracker/golang-golang-x-net-dev

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS