Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3502
[SECURITY] [DLA 1920-1] golang-go.crypto security update
16 September 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: golang-go.crypto
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Provide Misleading Information -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11841
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/09/msg00011.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running golang-go.crypto check for an updated version of the
software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : golang-go.crypto
Version : 0.0~hg190-1+deb8u2
CVE ID : CVE-2019-11841
This package ignored the value of the Hash header, which allows an
attacker to spoof it. An attacker can not only embed arbitrary Armor
Headers, but also prepend arbitrary text to cleartext messages
without invalidating the signatures.
For Debian 8 "Jessie", this problem has been fixed in version
0.0~hg190-1+deb8u2.
We recommend that you upgrade your golang-go.crypto packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl17MLcACgkQKpJZkldk
Svq2QQ/9HV2ZvQawcPk3yoCeJjMnVA4uOlVXKreI84godR7TEPHu/lFMzXxmv7r6
IFNADChJ5SrGIy9/qZOMqg7x4po1/2rJGnzY5L6Sh4BSsu8LzoLC5MO3XTo5NUG5
Lrr0cGdjYCwHkRRq0tSHzJFOME51YHFsosl+2TXKe1BOoJ/YkBv763hgmIrSO5Zl
wCH3aoujtshRBaUZEdCltnw+l2E2ykJJB48in9gtHOMh7r7388Jm9b5xMF9dorjc
pyIs8o1iIbs28igsZXVC8I+kKmr5vJ5iTZ79h8DDUYhLlUCTkuLxC3cb3tRZcxi0
Dy9wfpNK5WCK5dWCWG2QE6BVJGp81+1xiqMqxcbYjhsWPHAZtR2H7hNfvoptq4F7
Pdk3jB4cHUA/sKcAgUTfuXA3rwk0cfnCGpx5Yg8LdlL/wupSsya2Hvo7OgAPJY+a
JKwIxYuwsRiBzKLk1J5ATS3FdFGlgxhD658wKTiAYwZ1za77Re0CddQe4wuR68Tx
QuVXB/8VE7WUM34P7T2jVTMRFpZ8+5ZYrQQmADPLljwUoptxNjM8hYppkYYSssJF
jDHV/34Gs3jvQUiSft46lQK5h5oPxZXgVXwIsaKyMQ9gMXEg95J5AIyipma2MgFm
eqXptJYnP2Y6Zzpbb6Q3XGSssdblgiAD80z19Y4N9h8LcQ3A6Cw=
=AhI4
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXX77F2aOgq3Tt24GAQhwIA//UFWTM3n5w8ZBW+iT0VnUiEfJjSc62cqv
Y00XTplDqDbJbDEzb12uPHs4IHTUNiewu9V7gH5lxc9xBswzzWpb0CMXR4JJn2CA
IlFQwbAcaQkO9yDSoF0i3mkuZrXat3BFagyHa37oF+4T8YbkQ6dzPcjYxecydUwj
j9e23ckq3kYOWe1buRASUT+74ioYTzDnsllZCR4HljsdBuS8SPkCfqcP4rD46dV6
2sxn++cnN1zuiEgiVxJxXYaJCB2Bvea9W9F3sWnLGUMCYdZyyEfX0zMS4sfbeuiU
hga2Mmu3XOFfjjHv9umJOJ1GYwUFkzgRMYWrNw3+YvenN2Vlh4xzLsASB4b3IMjJ
lIolxWt2fraRGKM6NW5qdzKhaWXVeouoE4soN70z6s9RupiNQdoZK0L4IhBWwa6L
f8lWF3qoe5UVd+RsVg0F1XGeAiGAe/OPz1UvY6ydiGDIWxTnnkl33sduWvrGbF5f
7W6MBhi4cbCAxLaA5EXCIPcPGXROUcqoxxcy3bbZFOc5PKWj9HHK97QQ4CMBwrDy
YhdiWn0nF8/lNouOsZgAOdK1RLsqyc1EKnEQ9YDUDAlCB9k/SjdPbr1vUYVa5nki
+e0OtByb6xN5TWprAQhyAv2ZYVRuZvHF3jqGbMM2xas4pSMaO1JvmG0SIwp6uQ21
fHx7S85aX2U=
=8ao/
-----END PGP SIGNATURE-----