CVE-2019-17596

NameCVE-2019-17596
DescriptionGo before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4551-1
NVD severitymedium
Debian Bugs942628, 942629

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang (PTS)jessie2:1.3.3-1vulnerable
jessie (security)2:1.3.3-1+deb8u2vulnerable
golang-1.11 (PTS)buster, buster (security)1.11.6-1+deb10u3fixed
golang-1.13 (PTS)bullseye, sid1.13.4-1fixed
golang-1.7 (PTS)stretch1.7.4-2vulnerable
stretch (security)1.7.4-2+deb9u1vulnerable
golang-1.8 (PTS)stretch1.8.1-1vulnerable
stretch (security)1.8.1-1+deb9u1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golangsource(unstable)(unfixed)
golang-1.11source(unstable)(unfixed)
golang-1.11sourcebuster1.11.6-1+deb10u3DSA-4551-1
golang-1.12source(unstable)1.12.12-1942629
golang-1.13source(unstable)1.13.3-1942628
golang-1.7source(unstable)(unfixed)
golang-1.8source(unstable)(unfixed)

Notes

[stretch] - golang-1.8 <ignored> (Minor issue)
[stretch] - golang-1.7 <ignored> (Minor issue)
[jessie] - golang <ignored> (Minor issue)
https://golang.org/issue/34960
https://github.com/golang/go/issues/34962 (1.13 backport)
https://github.com/golang/go/issues/34961 (1.12 backport)
https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
Search for package or bug name: Reporting problems