Bug 27792 - golang-googlecode-net new security issues CVE-2019-9512 and CVE-2019-9514
Summary: golang-googlecode-net new security issues CVE-2019-9512 and CVE-2019-9514
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-09 23:38 CET by David Walser
Modified: 2020-12-21 22:48 CET (History)
4 users (show)

See Also:
Source RPM: golang-googlecode-net-0-0.2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-12-09 23:38:41 CET
Debian-LTS has issued an advisory today (December 9):
https://www.debian.org/lts/security/2020/dla-2485

Mageia 7 is also affected.
David Walser 2020-12-09 23:38:48 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-12-10 19:46:23 CET
First things first:
golang-x-net is good for M8, -> Guillaume
golang-googlecode-net is M7 only, no evident maintainer (listed JoeQuant, do not think he is active now).
Start with Guillaume; if you want somebody else to do the 2nd one, please re-assign it.

Assignee: bugsquad => guillomovitch

Guillaume Rousse 2020-12-11 20:21:55 CET

Assignee: guillomovitch => bugsquad

Comment 2 David Walser 2020-12-11 20:37:53 CET
Originally imported by Pascal, rename to golang-x-net handled by Guillaume.  Guillaume, can't you handle this one for Cauldron?

CC: (none) => guillomovitch, pterjan

Comment 3 Pascal Terjan 2020-12-11 20:48:11 CET
I failed to find out what is in the Debian update

The only upstream reference to those CVEs is https://github.com/golang/net/commit/74dc4d7220e7acc4e100824340f3e66577424772 which was committed on Aug 13, 2019 so would not affect the version in Cauldron
Comment 4 Pascal Terjan 2020-12-11 20:54:01 CET
golang-googlecode-net with the patch submitted to Mageia 7.
Pascal Terjan 2020-12-11 20:54:17 CET

Summary: golang-x-net / golang-googlecode-net new security issues CVE-2019-9512 and CVE-2019-9514 => golang-googlecode-net new security issues CVE-2019-9512 and CVE-2019-9514

Pascal Terjan 2020-12-11 20:54:29 CET

Whiteboard: MGA7TOO => (none)
Source RPM: golang-x-net-0-0.6.mga8.src.rpm, golang-googlecode-net-0-0.2.mga7.src.rpm => golang-googlecode-net-0-0.2.mga7.src.rpm
Version: Cauldron => 7

David Walser 2020-12-11 23:42:53 CET

CC: guillomovitch => (none)
Assignee: bugsquad => qa-bugs

Comment 5 David Walser 2020-12-12 17:21:34 CET
Advisory:
========================

Updated golang-googlecode-net package fixes security vulnerabilities:

This code was vulnerable to ping floods, potentially leading to a denial of
service. The attacker sends continual pings to an HTTP/2 peer, causing the peer
to build an internal queue of responses. Depending on how efficiently this data
is queued, this can consume excess CPU, memory, or both (CVE-2019-9512).

This code was vulnerable to a reset flood, potentially leading to a denial of
service. The attacker opens a number of streams and sends an invalid request
over each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can consume
excess memory, CPU, or both (CVE-2019-9514).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9514
https://www.debian.org/lts/security/2020/dla-2485
========================

Updated packages in core/updates_testing:
========================
golang-golang-org-net-devel-0-0.3.mga7

from golang-golang-org-net-devel-0-0.3.mga7.src.rpm
Comment 6 Len Lawrence 2020-12-18 17:55:27 CET
mga7, x64

Found version 0.2 already installed.
/usr/share/doc/golang-golang-org-net-devel/README.md gives no details of how it works or is to be used other than its supplying networking to golang.  As a devel package it is probably intended to form part of the programming environment so would be virtually impossible for QA to test.  Any go coders out there?

Passing this on the basis of a clean install.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 7 Aurelien Oudelet 2020-12-19 16:46:27 CET
As far as I understand, package golang-googlecode-net-0-0.2.mga7.src.rpm is replaced by golang-golang-org-net-devel-0-0.3.mga7.src.rpm

Is this correct?

CC: (none) => ouaurelien

Comment 8 David Walser 2020-12-19 17:04:44 CET
No, the srpm name hasn't changed, it was incorrect in his advisory.
Comment 9 Aurelien Oudelet 2020-12-19 17:08:13 CET
So new should be golang-googlecode-net-0-0.3.mga7.src.rpm ?

Because I do see:
http://ftp.free.fr/mirrors/mageia.org/distrib/7.1/x86_64/media/core/updates_testing/golang-golang-org-net-devel-0-0.3.mga7.x86_64.rpm
Comment 10 David Walser 2020-12-19 17:12:19 CET
Yes.  Replace x86_64/media in your URL with SRPMS.
Comment 11 Aurelien Oudelet 2020-12-19 17:15:22 CET
And I say I'm sorry.
Comment 12 David Walser 2020-12-19 17:19:21 CET
No worries.
Comment 13 Aurelien Oudelet 2020-12-20 16:40:51 CET
Advisory:
========================

Updated golang-googlecode-net package fixes security vulnerabilities:

This code was vulnerable to ping floods, potentially leading to a denial of
service. The attacker sends continual pings to an HTTP/2 peer, causing the peer
to build an internal queue of responses. Depending on how efficiently this data
is queued, this can consume excess CPU, memory, or both (CVE-2019-9512).

This code was vulnerable to a reset flood, potentially leading to a denial of
service. The attacker opens a number of streams and sends an invalid request
over each stream that should solicit a stream of RST_STREAM frames from the
peer. Depending on how the peer queues the RST_STREAM frames, this can consume
excess memory, CPU, or both (CVE-2019-9514).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9514
https://www.debian.org/lts/security/2020/dla-2485
========================

Updated packages in core/updates_testing:
========================
golang-golang-org-net-devel-0-0.3.mga7

from golang-googlecode-net-0-0.3.mga7.src.rpm

Pushed to SVN.
Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2020-12-21 22:48:20 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0468.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.