Operating System:

[Debian]

Published:

08 October 2020

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2020.3473 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3473
                     golang-go.crypto security update
                              8 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           golang-go.crypto
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9283 CVE-2019-11841 CVE-2019-11840

Reference:         ESB-2020.3257
                   ESB-2020.2792

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2402-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                            Brian May
October 08, 2020                              https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : golang-go.crypto
Version        : 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1
CVE ID         : CVE-2019-11840 CVE-2019-11841 CVE-2020-9283

CVE-2019-11840

    An issue was discovered in supplementary Go cryptography libraries, aka
    golang-googlecode-go-crypto. If more than 256 GiB of keystream is
    generated, or if the counter otherwise grows greater than 32 bits, the amd64
    implementation will first generate incorrect output, and then cycle back to
    previously generated keystream. Repeated keystream bytes can lead to loss of
    confidentiality in encryption applications, or to predictability in CSPRNG
    applications.

CVE-2019-11841

    A message-forgery issue was discovered in
    crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography
    libraries. The "Hash" Armor Header specifies the message digest
    algorithm(s) used for the signature. Since the library skips Armor Header
    parsing in general, an attacker can not only embed arbitrary Armor Headers,
    but also prepend arbitrary text to cleartext messages without invalidating
    the signatures.

CVE-2020-9283

    golang.org/x/crypto allows a panic during signature verification in the
    golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts
    public keys. Also, a server can attack any SSH client.

For Debian 9 stretch, these problems have been fixed in version
1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1.

We recommend that you upgrade your golang-go.crypto packages.

For the detailed security status of golang-go.crypto please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-go.crypto

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl9+OCsACgkQKpJZkldk
SvpsyQ/6AjE2foemSU+ybWNpRIPdz8/10n1xYAq22/aInfR/CwlfrhU1+3939jAi
d/9nFDl69XHgETnnT0nd6RNXHN279Ecwev31816O9ndVu6POtrbm5Pnwoay7EWou
vcqiY3zxrkjrlO95lVzUA+va0hTx3RP76AzPKsF16frH9HkAQB+tdJRurj8VWJuy
79P+/fLJdrFr50yjQS4CIgh63YWLIi+YNkCxphavZsnrqLBgv8eWCR9tD7zdcQq/
IdrwB0PSdpiqVtwtka/xLvyQC11UmLDH+TDDxXRXnLzIxNEzUPeuc8JSMFo44315
XY/9xjsLgf+WmJ19HrjoBavqN1xhFiLRAzvqMQA3OR+IbDuQacBylrn4XbVWwPzh
1vSi0F2EIvV0901W9Tk0d0L0cn3O+QLh54V6Z2ZWYBgdRO9SY787VULXnR9Dw1ib
z0Th3b1HG3n7GfhV/MF9pbinNeqSxiqZqG15FA3PVVlNs3stXw52NkBMehf1RN9J
r5rL5fJvHuHQVuXJIDjq4HE7x2hcCQVTRdfiMriW/4wynwts3+b8S6AxjW+/5pBy
WZi05GjgZsay+mi9uayDfVylruTDWvyg3bJ6YgqrtY7MEi2xkaERi/xM/OnVl7qy
sYVNGfgMkRLOon/5VZ6kqKnOUU12m/gmQprw0Lo+UHLhz9VbO9g=
=epyk
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX35ZPONLKJtyKPYoAQjVZBAAkmw2fwOb8PM5q30LVzg91TsbQBArCsdq
valc7CwA4LpTrzykwBVKD7ZkCPKtIqyvk1pDJRLkw1qW+SQSQnycArfUBX0d8Rz2
Jab4ba3+QE+X6L8qZwmDTpqa5tx0ZETh5IyT2hPAStKh0tqg1HPWypjCdWAKjx4L
SLStDA0lb4TWGMhkmo1kacw1Kh2TDVBpWbLQGhtU4JXxCW4K1yTSFEtRk+OUkfjI
tpXpQIkryn8qcZSylM2FL2f3mRAmxg/4mBsO6g6zjwaN+zSy4kU1uMl9jFal4Ecd
ymSYVQBigrixzgwl6xML2ggz+SerPEk6NMS5XLsDp5xKnl0wWk13v65e1iUtQkuB
GOT1vgQr0/xJMAFUzEGRneAbyR3hGUfmjbNO25590/P6sh8IS+D/M6ADbupNSqsC
LfAAU1v29yjhgJ8+WFwTNDpvNUPKgatm+rJqTnMb3IeOLMf8NVYg9MCeQzSGaW6T
LKEC6/Iz+FvooBGjildlyUKcj9B6gSEhJeosZXBSEHk35hdrtyhy/WXEgcsfV1Bs
0fo7ejnx5XuSc/YdV2yn0+O+4alyuvW9YmuLZqvdfhpIC+5r+tC5Kq7e+5aYwKzl
uworWyOy9xURS10Cca0J4Ggzy3xTLqeBvVEa9i6eygqVChmlU6dGBvjXlnK2WaoQ
qy4CHdZZK90=
=4JTG
-----END PGP SIGNATURE-----