Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0891
golang security update
15 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: golang
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Overwrite Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3114 CVE-2019-17596 CVE-2019-16276
CVE-2019-9741 CVE-2018-16874 CVE-2018-16873
CVE-2017-15041
Reference: ESB-2021.0432
ESB-2021.0310
ESB-2021.0309
ESB-2020.0149
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2591
https://www.debian.org/lts/security/2021/dla-2592
Comment: This bulletin contains two (2) Debian security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2591-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
March 13, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : golang-1.7
Version : 1.7.4-2+deb9u3
CVE ID : CVE-2017-15041 CVE-2018-16873 CVE-2018-16874 CVE-2019-9741
CVE-2019-16276 CVE-2019-17596 CVE-2021-3114
Debian Bug : 924630 941173 942628 942629
Several vulnerabilities were discovered in the Go programming
language. An attacker could trigger a denial-of-service (DoS), bypasss
access control, and execute arbitrary code on the developer's
computer.
CVE-2017-15041
Go allows "go get" remote command execution. Using custom
domains, it is possible to arrange things so that
example.com/pkg1 points to a Subversion repository but
example.com/pkg1/pkg2 points to a Git repository. If the
Subversion repository includes a Git checkout in its pkg2
directory and some other work is done to ensure the proper
ordering of operations, "go get" can be tricked into reusing this
Git checkout for the fetch of code from pkg2. If the Subversion
repository's Git checkout has malicious commands in .git/hooks/,
they will execute on the system running "go get."
CVE-2018-16873
The "go get" command is vulnerable to remote code execution when
executed with the -u flag and the import path of a malicious Go
package, as it may treat the parent directory as a Git repository
root, containing malicious configuration.
CVE-2018-16874
The "go get" command is vulnerable to directory traversal when
executed with the import path of a malicious Go package which
contains curly braces (both '{' and '}' characters). The attacker
can cause an arbitrary filesystem write, which can lead to code
execution.
CVE-2019-9741
In net/http, CRLF injection is possible if the attacker controls a
url parameter, as demonstrated by the second argument to
http.NewRequest with \r\n followed by an HTTP header or a Redis
command.
CVE-2019-16276
Go allows HTTP Request Smuggling.
CVE-2019-17596
Go can panic upon an attempt to process network traffic containing
an invalid DSA public key. There are several attack scenarios,
such as traffic from a client to a server that verifies client
certificates.
CVE-2021-3114
crypto/elliptic/p224.go can generate incorrect outputs, related to
an underflow of the lowest limb during the final complete
reduction in the P-224 field.
For Debian 9 stretch, these problems have been fixed in version
1.7.4-2+deb9u3.
We recommend that you upgrade your golang-1.7 packages.
For the detailed security status of golang-1.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-1.7
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmBNBSwACgkQDTl9HeUl
XjB6vA/+IQos9Ku2pFtkP9ByBFT1DCcxrPial9ltP2LrPN5cCMbyYjP+zN9p+o+7
V5dqxWTUfIfRT/ExiV7GVfbhGMJOw/Bt0gIK0RGCNp7ywuUtMFGWwO2v9hhERfI2
avwhG7rFZs7QXMnWLQuZq0f6wC4HB9/8uo/xMu1JWKCZGssD45WlZiX+nG/U+78q
0HUUuGls7fRjmtP0Xb2qvf/HAner3RpLquERJSHE+NYRODk74YQXb7Y+zUXbGmB5
4pDH2VkjGbUJQRopWJag7tWOWl3ASmHcslwHNQHfrg4z3btGQMEB6anbn1dRhRS3
kq6nIMMIfTrLoro5Rln4XVJatEmqt03nR/HXdfyLLQQV1xK2/9DE8mLk4gNMB9SO
oFfOlIrfY5XZQWEUCjpuxgtX8V+T0ue9yLeTjYTriVDX5CrQzaN/y0vpo1R2bbSX
/0lSgeX/XtzWNF47Pq5+OreoWHBDydgcmv3bDSL9JWh931M0ymCDSQKnEnYnCKYh
JeZkNlQdjlBx+9Y2ejq+qicrGtWUpTYdzZ21DSUzyx9PLbZVM5H4p6r3YNVFJted
lah/djKVZ2B6DgOJsdZF+Pg6DZX84eHXpRrDraOayBKz3o+hocNWej6lMpeJ0Gfa
fxAUelITIpFklu98hMV05OBSNzHCyTXErIhshSqQmyTB5OF4hRU=
=LqTv
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2592-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
March 13, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : golang-1.8
Version : 1.8.1-1+deb9u3
CVE ID : CVE-2017-15041 CVE-2018-16873 CVE-2018-16874 CVE-2019-9741
CVE-2019-16276 CVE-2019-17596 CVE-2021-3114
Debian Bug : 924630 941173 942628 942629
Several vulnerabilities were discovered in the Go programming
language. An attacker could trigger a denial-of-service (DoS), bypasss
access control, and execute arbitrary code on the developer's
computer.
CVE-2017-15041
Go allows "go get" remote command execution. Using custom
domains, it is possible to arrange things so that
example.com/pkg1 points to a Subversion repository but
example.com/pkg1/pkg2 points to a Git repository. If the
Subversion repository includes a Git checkout in its pkg2
directory and some other work is done to ensure the proper
ordering of operations, "go get" can be tricked into reusing this
Git checkout for the fetch of code from pkg2. If the Subversion
repository's Git checkout has malicious commands in .git/hooks/,
they will execute on the system running "go get."
CVE-2018-16873
The "go get" command is vulnerable to remote code execution when
executed with the -u flag and the import path of a malicious Go
package, as it may treat the parent directory as a Git repository
root, containing malicious configuration.
CVE-2018-16874
The "go get" command is vulnerable to directory traversal when
executed with the import path of a malicious Go package which
contains curly braces (both '{' and '}' characters). The attacker
can cause an arbitrary filesystem write, which can lead to code
execution.
CVE-2019-9741
In net/http, CRLF injection is possible if the attacker controls a
url parameter, as demonstrated by the second argument to
http.NewRequest with \r\n followed by an HTTP header or a Redis
command.
CVE-2019-16276
Go allows HTTP Request Smuggling.
CVE-2019-17596
Go can panic upon an attempt to process network traffic containing
an invalid DSA public key. There are several attack scenarios,
such as traffic from a client to a server that verifies client
certificates.
CVE-2021-3114
crypto/elliptic/p224.go can generate incorrect outputs, related to
an underflow of the lowest limb during the final complete
reduction in the P-224 field.
For Debian 9 stretch, these problems have been fixed in version
1.8.1-1+deb9u3.
We recommend that you upgrade your golang-1.8 packages.
For the detailed security status of golang-1.8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-1.8
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmBNBUcACgkQDTl9HeUl
XjBRQhAApf+ZfnX0v9ThJizmdMPV11IhjIjmMsvQOzjBYjSh//v0a2v9ANPKxXMI
ZP4sIOWcWLV465y/p98LNZZt5tE4dCAUuTnwNeP+IZvYnB39Sca/7j2kQoaRvS4a
DKUS/nGE5N12QfWsGCnd7U1oq/pZvT+gZowmCulGsVgbA4Ih4PLvCpJnqFwSJ704
s0fFwnH0Wtib1eVcYhFiyjmM5affPSP0cSAnqCrRZwOL+b0LKqq0gRrENPbg2rr6
losuZDwmGoU8rdytXUxV/U3bEPkNmhZlS3VFiA7/atMQr5H+RPvlHY1H4aDFew8B
kobKoSO0PKZyKYuWqcSifTg8GcDaZM+rjutmBVGvlj7vRh9ufiQEVWvym78ErOw9
WQd91elb1v3xbMM1zi9obOj8zSUJLEiv4Ad2hpwULYouaxXbqjKB/LwUZ6A5/Wkv
Ngc/2AdMLbvCgW9jCCUVVPYvZ+R1CXoOhUANwTCQf2VZivM4UOeeiuZ/iH1rn2GQ
A3fN3E8cZ51+C6L/kuUSLdRDYc8JOjY54UkjcRZAECyTQWCpdgk1kwKxzzv03xdH
nJTguvn35/hl3yOHiFWNRLGhzRipD1BfHw30VbLjefCQcJqioZJaKXFNyhap2hYe
7ucDG+yXkQWoux3LJAowANM+p5RY005Yg9zlb5b29t5lrIPyElk=
=/Hlz
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYE67j+NLKJtyKPYoAQhtRQ//TnEyfwmUT9PVYLQftrscyXNtuuGcP5Pz
3c3fXTKB6Z2GKYK93AsLJCJ4xsqxARfI5rw7ldk5SxBN3Id3GB3xtc9w4a0Mv75l
hUEEsoQ3TdMV0VB0OKjlgsw3xlnSQ6r7G8pJ0j6sVPAaYXoFZZKaliS361mMYH0v
KJFophJZkNcpW0GBlnKmdBoSzSdC3GZy6nZpky46rRVhTmtCeO369lhlpXG3w3RQ
mflt9/BVhR2jtW6xfmiqzqu36McBr/bC8DcG7MQfn4jQzRGXONjAE+9wsMS7nKzl
6+JIDMQ/wZ5fapTlWUojr33TNCynBayjPJLoMp720SikBqV2mG+JB4A3PFZg4jj+
2ZymAmWJVhuYu9xT1Q3o/kIrhmzd5Lj4oFKrE+ETQ/iaVJSv8OJNTcxpxBg/AmEE
vhYPps+6ZP5f2vQIrnYp9hAY3jP5V3dM6gcekUG7CnpfTfhoDVe8oLCH0+BYJ7E4
LRvEkvalQh9VnlC6LGCRo30WHNHjhRHpoCiLE1+juGCFf0k+DWko2kEYejY93Yz+
vlW78g30SL2dw2lzG5K7bhrbVlEvkk3x8c3g3/P6OmFQLDB9xP3x3qlH0mf6rwwt
Tz87005SOQY9UqavV6JpapTcXKi8F+N0wJbgRNu/ue+ubVoWykcS3kNgkqMwdelS
fv2GRZlfZ/M=
=OuAc
-----END PGP SIGNATURE-----