[SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2485-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Brian May
December 09, 2020 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : golang-golang-x-net-dev
Version : 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1
CVE ID : CVE-2019-9512 CVE-2019-9514
The http2 server support in this package was vulnerable to
certain types of DOS attacks.
CVE-2019-9512
This code was vulnerable to ping floods, potentially leading to a denial of
service. The attacker sends continual pings to an HTTP/2 peer, causing the peer
to build an internal queue of responses. Depending on how efficiently this data
is queued, this can consume excess CPU, memory, or both.
CVE-2019-9514
This code was vulnerable to a reset flood, potentially leading to a denial
of service. The attacker opens a number of streams and sends an invalid request
over each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can consume
excess memory, CPU, or both.
For Debian 9 stretch, these problems have been fixed in version
1:0.0+git20161013.8b4af36+dfsg-3+deb9u1.
We recommend that you upgrade your golang-golang-x-net-dev packages.
For the detailed security status of golang-golang-x-net-dev please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-golang-x-net-dev
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl/P+dIACgkQKpJZkldk
Svo42A//XLrZMFKa9pv2kQh+QphGCIVATSxuzlWNzQwjYk9UztXxXbMqbmdvx0Ha
+AFFn1X3ZQYboyUmdLWESq4XTgiK+8/EUBqbm39ltG2rZAeAjn74KF7fJ2YPO0Of
/sHg6iPmwC8JZ/FXgCnsc2YcXp28qHRYcy3CCEaVnzhtmm7Yi68a+Jy2UlAEjBgT
gfdLvVQLkbPU7Z4EE1ZtiOQnvQRO0d6+v668cbX+ZP0L709DstVBAKYGQkyJyQJx
8YbwvxnLXN/s1uU5R3vQTOP1z0pEl9L9M40+7zVAYKHPJ709ubIWPdTKYBYsHwQo
0ir4nE0OgeDadxJaReyhcT+446bqB+U5x1p7hQcDxFc/PSS2lsK26qlP0JP5pgM6
S6QCpob1vRduyWWDHTcqwbnmTWJO75m3sEnrrX214LXSmfukBKYPCLgpR/o5P/UQ
4EdJfuULEDvc1jSM0uKOup4zvANnEGKK9IIRrSbplw2RO9gaThus5uRV6Bm0TBm+
NaAnKXeyJ8iUghXYUCVN5VPpW8Vyrzdn1vCFwR3l9EEiKiwXh1jSlhBS9EJAwiKl
g22y4JzXD4Zsmr3+ew+v5IyyBs4Z6OnPOL+wAmYJMj+ZGq98V1g/smb1WZDbzoB/
UJDMWV7Nvl6HhhNMIt8hh27yyNqHcFpM2fWrAv5LOU3ieYhztDc=
=7Bfr
-----END PGP SIGNATURE-----
Reply to: