Debian 10226 Published by

A golang-golang-x-net-dev security update has been released for Debian GNU/Linux 9 LTS to address a vulnerabilities that can result in certain types of DOS attacks.



DLA 2485-1: golang-golang-x-net-dev security update



- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2485-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Brian May
December 09, 2020   https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : golang-golang-x-net-dev
Version : 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1
CVE ID : CVE-2019-9512 CVE-2019-9514

The http2 server support in this package was vulnerable to
certain types of DOS attacks.

CVE-2019-9512

This code was vulnerable to ping floods, potentially leading to a denial of
service. The attacker sends continual pings to an HTTP/2 peer, causing the peer
to build an internal queue of responses. Depending on how efficiently this data
is queued, this can consume excess CPU, memory, or both.

CVE-2019-9514

This code was vulnerable to a reset flood, potentially leading to a denial
of service. The attacker opens a number of streams and sends an invalid request
over each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can consume
excess memory, CPU, or both.

For Debian 9 stretch, these problems have been fixed in version
1:0.0+git20161013.8b4af36+dfsg-3+deb9u1.

We recommend that you upgrade your golang-golang-x-net-dev packages.

For the detailed security status of golang-golang-x-net-dev please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/golang-golang-x-net-dev

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS