[ASA-201908-16] go-pie: multiple issues

Jelle van der Waa jelle at archlinux.org
Thu Aug 29 16:25:57 UTC 2019


Arch Linux Security Advisory ASA-201908-16
==========================================

Severity: Medium
Date    : 2019-08-24
CVE-ID  : CVE-2019-9512 CVE-2019-9514 CVE-2019-14809
Package : go-pie
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1020

Summary
=======

The package go-pie before version 2:1.12.8-1 is vulnerable to multiple
issues including denial of service and insufficient validation.

Resolution
==========

Upgrade to 2:1.12.8-1.

# pacman -Syu "go-pie>=2:1.12.8-1"

The problems have been fixed upstream in version 1.12.8.

Workaround
==========

None.

Description
===========

- CVE-2019-9512 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker sends continual pings to an HTTP/2 peer, causing the peer to
build an internal queue of responses. Depending on how efficiently this
data is queued, this can consume excess CPU, memory, or both,
potentially leading to a denial of service.

- CVE-2019-9514 (denial of service)

An issue has been found in several HTTP/2 implementations, where the
attacker opens a number of streams and sends an invalid request over
each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can
consume excess memory, CPU, or both, potentially leading to a denial of
service.

- CVE-2019-14809 (insufficient validation)

An issue has been found in Go before 1.12.8, where url.Parse would
accept URLs with malformed hosts, such that the Host field could have
arbitrary suffixes that would appear in neither Hostname() nor Port(),
allowing authorization bypasses in certain applications. Note that URLs
with invalid, not numeric ports will now return an error from
url.Parse.

Impact
======

A remote attacker is able to cause a denial of service by sending a
specially crafted packet or bypass authorization due to insufficient
validation.

References
==========

https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://golang.org/issue/29098
https://security.archlinux.org/CVE-2019-9512
https://security.archlinux.org/CVE-2019-9514
https://security.archlinux.org/CVE-2019-14809
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190829/4c0a657b/attachment.sig>


More information about the arch-security mailing list