Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3502 [SECURITY] [DLA 1920-1] golang-go.crypto security update 16 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: golang-go.crypto Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Provide Misleading Information -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-11841 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/09/msg00011.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running golang-go.crypto check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : golang-go.crypto Version : 0.0~hg190-1+deb8u2 CVE ID : CVE-2019-11841 This package ignored the value of the Hash header, which allows an attacker to spoof it. An attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures. For Debian 8 "Jessie", this problem has been fixed in version 0.0~hg190-1+deb8u2. We recommend that you upgrade your golang-go.crypto packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl17MLcACgkQKpJZkldk Svq2QQ/9HV2ZvQawcPk3yoCeJjMnVA4uOlVXKreI84godR7TEPHu/lFMzXxmv7r6 IFNADChJ5SrGIy9/qZOMqg7x4po1/2rJGnzY5L6Sh4BSsu8LzoLC5MO3XTo5NUG5 Lrr0cGdjYCwHkRRq0tSHzJFOME51YHFsosl+2TXKe1BOoJ/YkBv763hgmIrSO5Zl wCH3aoujtshRBaUZEdCltnw+l2E2ykJJB48in9gtHOMh7r7388Jm9b5xMF9dorjc pyIs8o1iIbs28igsZXVC8I+kKmr5vJ5iTZ79h8DDUYhLlUCTkuLxC3cb3tRZcxi0 Dy9wfpNK5WCK5dWCWG2QE6BVJGp81+1xiqMqxcbYjhsWPHAZtR2H7hNfvoptq4F7 Pdk3jB4cHUA/sKcAgUTfuXA3rwk0cfnCGpx5Yg8LdlL/wupSsya2Hvo7OgAPJY+a JKwIxYuwsRiBzKLk1J5ATS3FdFGlgxhD658wKTiAYwZ1za77Re0CddQe4wuR68Tx QuVXB/8VE7WUM34P7T2jVTMRFpZ8+5ZYrQQmADPLljwUoptxNjM8hYppkYYSssJF jDHV/34Gs3jvQUiSft46lQK5h5oPxZXgVXwIsaKyMQ9gMXEg95J5AIyipma2MgFm eqXptJYnP2Y6Zzpbb6Q3XGSssdblgiAD80z19Y4N9h8LcQ3A6Cw= =AhI4 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXX77F2aOgq3Tt24GAQhwIA//UFWTM3n5w8ZBW+iT0VnUiEfJjSc62cqv Y00XTplDqDbJbDEzb12uPHs4IHTUNiewu9V7gH5lxc9xBswzzWpb0CMXR4JJn2CA IlFQwbAcaQkO9yDSoF0i3mkuZrXat3BFagyHa37oF+4T8YbkQ6dzPcjYxecydUwj j9e23ckq3kYOWe1buRASUT+74ioYTzDnsllZCR4HljsdBuS8SPkCfqcP4rD46dV6 2sxn++cnN1zuiEgiVxJxXYaJCB2Bvea9W9F3sWnLGUMCYdZyyEfX0zMS4sfbeuiU hga2Mmu3XOFfjjHv9umJOJ1GYwUFkzgRMYWrNw3+YvenN2Vlh4xzLsASB4b3IMjJ lIolxWt2fraRGKM6NW5qdzKhaWXVeouoE4soN70z6s9RupiNQdoZK0L4IhBWwa6L f8lWF3qoe5UVd+RsVg0F1XGeAiGAe/OPz1UvY6ydiGDIWxTnnkl33sduWvrGbF5f 7W6MBhi4cbCAxLaA5EXCIPcPGXROUcqoxxcy3bbZFOc5PKWj9HHK97QQ4CMBwrDy YhdiWn0nF8/lNouOsZgAOdK1RLsqyc1EKnEQ9YDUDAlCB9k/SjdPbr1vUYVa5nki +e0OtByb6xN5TWprAQhyAv2ZYVRuZvHF3jqGbMM2xas4pSMaO1JvmG0SIwp6uQ21 fHx7S85aX2U= =8ao/ -----END PGP SIGNATURE-----