CVE-2019-17596

NameCVE-2019-17596
DescriptionGo before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2591-1, DLA-2592-1, DSA-4551-1, ELA-379-1
Debian Bugs942628, 942629

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang (PTS)jessie, jessie (lts)2:1.3.3-1+deb8u5fixed
golang-1.11 (PTS)buster (security), buster, buster (lts)1.11.6-1+deb10u7fixed
golang-1.7 (PTS)stretch (security), stretch (lts), stretch1.7.4-2+deb9u5fixed
golang-1.8 (PTS)stretch (security), stretch (lts), stretch1.8.1-1+deb9u5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golangsourcewheezy(unfixed)end-of-life
golangsourcejessie2:1.3.3-1+deb8u3ELA-379-1
golangsource(unstable)(unfixed)
golang-1.11sourcebuster1.11.6-1+deb10u3DSA-4551-1
golang-1.11source(unstable)(unfixed)
golang-1.12source(unstable)1.12.12-1942629
golang-1.13source(unstable)1.13.3-1942628
golang-1.7sourcestretch1.7.4-2+deb9u3DLA-2591-1
golang-1.7source(unstable)(unfixed)
golang-1.8sourcestretch1.8.1-1+deb9u3DLA-2592-1
golang-1.8source(unstable)(unfixed)

Notes

[jessie] - golang <ignored> (Minor issue)
https://golang.org/issue/34960
https://github.com/golang/go/issues/34962 (1.13 backport)
https://github.com/golang/go/issues/34961 (1.12 backport)
https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
Search for package or bug name: Reporting problems