Arch Linux 804 Published by

The following security updates has been released for Arch Linux:

ASA-201901-10: go-pie: private key recovery
ASA-201901-11: go: private key recovery
ASA-201901-12: matrix-synapse: private key recovery
ASA-201901-13: powerdns-recursor: multiple issues
ASA-201901-14: apache: multiple issues
ASA-201901-15: haproxy: denial of service
ASA-201901-16: nasm: denial of service



ASA-201901-10: go-pie: private key recovery

Arch Linux Security Advisory ASA-201901-11
==========================================

Severity: Medium
Date : 2019-01-24
CVE-ID : CVE-2019-6486
Package : go
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-859

Summary
=======

The package go before version 2:1.11.5-1 is vulnerable to private key
recovery.

Resolution
==========

Upgrade to 2:1.11.5-1.

# pacman -Syu "go>=2:1.11.5-1"

The problem has been fixed upstream in version 1.11.5.

Workaround
==========

None.

Description
===========

Go before versions 1.10.8 and 1.11.5 has a vulnerability in the
crypto/elliptic implementations of the P-521 and P-384 elliptic curves.
A remote attacker can exploit this by crafting inputs that consume
excessive amounts of CPU. These inputs might be delivered via TLS
handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA
signatures. In some cases, if an ECDH private key is reused more than
once, the attack can also lead to key recovery.

Impact
======

A remote attacker can crash the system with maliciously crafted input,
or recover the private key.

References
==========

https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
https://github.com/golang/go/issues/29903
https://github.com/golang/go/commit/42b42f71
https://security.archlinux.org/CVE-2019-6486


ASA-201901-11: go: private key recovery

Arch Linux Security Advisory ASA-201901-11
==========================================

Severity: Medium
Date : 2019-01-24
CVE-ID : CVE-2019-6486
Package : go
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-859

Summary
=======

The package go before version 2:1.11.5-1 is vulnerable to private key
recovery.

Resolution
==========

Upgrade to 2:1.11.5-1.

# pacman -Syu "go>=2:1.11.5-1"

The problem has been fixed upstream in version 1.11.5.

Workaround
==========

None.

Description
===========

Go before versions 1.10.8 and 1.11.5 has a vulnerability in the
crypto/elliptic implementations of the P-521 and P-384 elliptic curves.
A remote attacker can exploit this by crafting inputs that consume
excessive amounts of CPU. These inputs might be delivered via TLS
handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA
signatures. In some cases, if an ECDH private key is reused more than
once, the attack can also lead to key recovery.

Impact
======

A remote attacker can crash the system with maliciously crafted input,
or recover the private key.

References
==========

https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
https://github.com/golang/go/issues/29903
https://github.com/golang/go/commit/42b42f71
https://security.archlinux.org/CVE-2019-6486


ASA-201901-12: matrix-synapse: private key recovery

Arch Linux Security Advisory ASA-201901-12
==========================================

Severity: High
Date : 2019-01-24
CVE-ID : CVE-2019-5885
Package : matrix-synapse
Type : private key recovery
Remote : No
Link : https://security.archlinux.org/AVG-846

Summary
=======

The package matrix-synapse before version 0.34.1.1-1 is vulnerable to
private key recovery.

Resolution
==========

Upgrade to 0.34.1.1-1.

# pacman -Syu "matrix-synapse>=0.34.1.1-1"

The problem has been fixed upstream in version 0.34.1.1.

Workaround
==========

None.

Description
===========

matrix-synapse before 0.34.1 is vulnerable to private key recovery as
synapse will attempt to derive a secret key from other secrets
specified in the configuration file for "macaroon_secret_key". However,
in all versions of Synapse up to and including 0.34.0, this process was
faulty and a predictable value was used instead.

Impact
======

If no private key is specified a predictable key is used allowing
private key recover.

References
==========

https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
https://security.archlinux.org/CVE-2019-5885


ASA-201901-13: powerdns-recursor: multiple issues

Arch Linux Security Advisory ASA-201901-13
==========================================

Severity: Medium
Date : 2019-01-24
CVE-ID : CVE-2019-3806 CVE-2019-3807
Package : powerdns-recursor
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-856

Summary
=======

The package powerdns-recursor before version 4.1.9-1 is vulnerable to
multiple issues including insufficient validation and access
restriction bypass.

Resolution
==========

Upgrade to 4.1.9-1.

# pacman -Syu "powerdns-recursor>=4.1.9-1"

The problems have been fixed upstream in version 4.1.9.

Workaround
==========

None.

Description
===========

- CVE-2019-3806 (access restriction bypass)

An issue has been found in PowerDNS Recursor before 4.1.9 where Lua
hooks are not properly applied to queries received over TCP in some
specific combination of settings, possibly bypassing security policies
enforced using Lua.

- CVE-2019-3807 (insufficient validation)

An issue has been found in PowerDNS Recursor before 4.1.9 where records
in the answer section of responses received from authoritative servers
with the AA flag not set were not properly validated, allowing an
attacker to bypass DNSSEC validation.

Impact
======

A remote attacker can bypass access restrictions by doing a TCP query
or bypass DNSSEC validation for records where the AA flag was not set.

References
==========

https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released/
https://security.archlinux.org/CVE-2019-3806
https://security.archlinux.org/CVE-2019-3807


ASA-201901-14: apache: multiple issues

Arch Linux Security Advisory ASA-201901-14
==========================================

Severity: High
Date : 2019-01-24
CVE-ID : CVE-2018-17189 CVE-2018-17199 CVE-2019-0190
Package : apache
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-857

Summary
=======

The package apache before version 2.4.38-1 is vulnerable to multiple
issues including denial of service and insufficient validation.

Resolution
==========

Upgrade to 2.4.38-1.

# pacman -Syu "apache>=2.4.38-1"

The problems have been fixed upstream in version 2.4.38.

Workaround
==========

- CVE-2018-17189

Disable the h2 protocol.

Description
===========

- CVE-2018-17189 (denial of service)

By sending request bodies in a slow loris way to plain resources, the
h2 stream of Apache HTTP Server before 2.4.38 for that request
unnecessarily occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 connections. A possible mitigation is to not
enable the h2 protocol.

- CVE-2018-17199 (insufficient validation)

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks
the session expiry time before decoding the session. This causes
session expiry time to be ignored for mod_session_cookie sessions since
the expiry time is loaded when the session is decoded.

- CVE-2019-0190 (denial of service)

A bug exists in the way mod_ssl handled client renegotiations. A remote
attacker could send a carefully crafted request that would cause
mod_ssl to enter a loop leading to a denial of service. This bug can be
only triggered with Apache HTTP Server version 2.4.37 when using
OpenSSL version 1.1.1 or later, due to an interaction in changes to
handling of renegotiation attempts.

Impact
======

An attacker is able to crash the Apache server by sending maliciously-
crafted h2 requests and SSL handshakes. In addition, an attacker is
able to reuse an expired session.

References
==========

https://httpd.apache.org/security/vulnerabilities_24.html#2.4.38
https://security.archlinux.org/CVE-2018-17189
https://security.archlinux.org/CVE-2018-17199
https://security.archlinux.org/CVE-2019-0190


ASA-201901-15: haproxy: denial of service

Arch Linux Security Advisory ASA-201901-15
==========================================

Severity: Medium
Date : 2019-01-24
CVE-ID : CVE-2018-20102 CVE-2018-20103
Package : haproxy
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-836

Summary
=======

The package haproxy before version 1.9.0-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 1.9.0-1.

# pacman -Syu "haproxy>=1.9.0-1"

The problems have been fixed upstream in version 1.9.0.

Workaround
==========

None.

Description
===========

- CVE-2018-20102 (denial of service)

A stack-based out-of-bounds read has been found in HAProxy before
1.8.15, in the dns_validate_dns_response() function in dns.c, where it
can be triggered by a crafted DNS packet.

- CVE-2018-20103 (denial of service)

A stack-exhaustion issue has been found in HAProxy before 1.8.15, in
the dns_read_name() function in dns.c, where an infinite recursion can
be triggered via a crafted DNS packet.

Impact
======

A remote attacker is able to crash the server with a specially crafted
DNS packet.

References
==========

https://www.mail-archive.com/haproxy@formilux.org/msg32055.html
https://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=2e53fe850be462dab2c1141f044a94d248d68bfe
https://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=12e27845513f87fe2df88e5795d0273f0b992a91
https://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=2b514b24f71af8ff8c6593636850b9a312a05278
https://security.archlinux.org/CVE-2018-20102
https://security.archlinux.org/CVE-2018-20103


ASA-201901-16: nasm: denial of service

Arch Linux Security Advisory ASA-201901-16
==========================================

Severity: Medium
Date : 2019-01-24
CVE-ID : CVE-2019-6290 CVE-2019-6291
Package : nasm
Type : denial of service
Remote : No
Link : https://security.archlinux.org/AVG-852

Summary
=======

The package nasm before version 2.14.02-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 2.14.02-1.

# pacman -Syu "nasm>=2.14.02-1"

The problems have been fixed upstream in version 2.14.02.

Workaround
==========

None.

Description
===========

- CVE-2019-6290 (denial of service)

An infinite recursion issue was discovered in eval.c in Netwide
Assembler (NASM) through 2.14.02. There is a stack exhaustion problem
resulting from infinite recursion in the functions expr, rexp, bexpr
and cexpr in certain scenarios involving lots of '{' characters. Remote
attackers could leverage this vulnerability to cause a denial-of-
service via a crafted asm file.

- CVE-2019-6291 (denial of service)

An issue was discovered in the function expr6 in eval.c in Netwide
Assembler (NASM) through 2.14.02. There is a stack exhaustion problem
caused by the expr6 function making recursive calls to itself in
certain scenarios involving lots of '!' or '+' or '-' characters.
Remote attackers could leverage this vulnerability to cause a denial-
of-service via a crafted asm file.

Impact
======

A local attacker is able to cause a denial of service via a specially
crafted asm file.

References
==========

https://bugzilla.nasm.us/show_bug.cgi?id=3392548
https://bugzilla.nasm.us/show_bug.cgi?id=3392549
https://security.archlinux.org/CVE-2019-6290
https://security.archlinux.org/CVE-2019-6291