CVE-2019-17596

NameCVE-2019-17596
DescriptionGo before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2591-1, DLA-2592-1, DSA-4551-1
Debian Bugs942628, 942629

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golangsource(unstable)(unfixed)
golang-1.11sourcebuster1.11.6-1+deb10u3DSA-4551-1
golang-1.11source(unstable)(unfixed)
golang-1.12source(unstable)1.12.12-1942629
golang-1.13source(unstable)1.13.3-1942628
golang-1.7sourcestretch1.7.4-2+deb9u3DLA-2591-1
golang-1.7source(unstable)(unfixed)
golang-1.8sourcestretch1.8.1-1+deb9u3DLA-2592-1
golang-1.8source(unstable)(unfixed)

Notes

[jessie] - golang <ignored> (Minor issue)
https://golang.org/issue/34960
https://github.com/golang/go/issues/34962 (1.13 backport)
https://github.com/golang/go/issues/34961 (1.12 backport)
https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ

Search for package or bug name: Reporting problems