Debian Bug report logs -
#934954
golang-1.13: CVE-2019-14809
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>:
Bug#934954; Package src:golang-1.13.
(Sat, 17 Aug 2019 08:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>.
(Sat, 17 Aug 2019 08:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: golang-1.13
Version: 1.13~beta1-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/golang/go/issues/29098
Hi,
The following vulnerability was published for golang-1.13. The
CVE-2019-14809 seems unpatched yet as well in golang-1.13
1.13~beta1-2.
CVE-2019-14809[0]:
| net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles
| malformed hosts in URLs, leading to an authorization bypass in some
| applications. This is related to a Host field with a suffix appearing
| in neither Hostname() nor Port(), and is related to a non-numeric port
| number. For example, an attacker can compose a crafted javascript://
| URL that results in a hostname of google.com.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-14809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809
[1] https://github.com/golang/go/issues/29098
[2] https://github.com/golang/go/commit/61bb56ad63992a3199acc55b2537c8355ef887b6
Regards,
Salvatore
Reply sent
to toddy@debian.org (Dr. Tobias Quathamer):
You have taken responsibility.
(Sat, 17 Aug 2019 22:24:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Aug 2019 22:24:09 GMT) (full text, mbox, link).
Message #10 received at 934954-close@bugs.debian.org (full text, mbox, reply):
Source: golang-1.13
Source-Version: 1.13~beta1-3
We believe that the bug you reported is fixed in the latest version of
golang-1.13, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 934954@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated golang-1.13 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 17 Aug 2019 23:47:53 +0200
Source: golang-1.13
Architecture: source
Version: 1.13~beta1-3
Distribution: unstable
Urgency: high
Maintainer: Go Compiler Team <team+go-compiler@tracker.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Closes: 934954 934955
Changes:
golang-1.13 (1.13~beta1-3) unstable; urgency=high
.
* Fix Denial of Service vulnerabilities in the HTTP/2 implementation.
https://github.com/golang/go/issues/33631
CVE-2019-9512, CVE-2019-9514. Closes: #934955
* Fix multiple Parsing Issues in URL.Parse
https://github.com/golang/go/issues/29098
CVE-2019-14809. Closes: #934954
Checksums-Sha1:
0e20a768a02e98e2ef4acebc62820058f50ccb3b 2617 golang-1.13_1.13~beta1-3.dsc
e754bab4ffea5b4a4f569c0c8fb488f0f4e0cfcd 38016 golang-1.13_1.13~beta1-3.debian.tar.xz
9b9d5b71fc9104d47d6c88e3adb53138c95e747f 6605 golang-1.13_1.13~beta1-3_amd64.buildinfo
Checksums-Sha256:
240d64c95ad844c2e913044ff439692ec5d724ca4eb9d611dc9d687c323d2a09 2617 golang-1.13_1.13~beta1-3.dsc
a6ee20476b9c677bd7a62713f9000b199678b06d79c459f2634025e341c905ee 38016 golang-1.13_1.13~beta1-3.debian.tar.xz
51594cf922de611050ae4852ec8037ed32ffe0634a038c11836102f010db31e8 6605 golang-1.13_1.13~beta1-3_amd64.buildinfo
Files:
5598cb921f1008531c9458c214f51094 2617 devel optional golang-1.13_1.13~beta1-3.dsc
0d4fb3e1d9b620ca58a9a705b957c434 38016 devel optional golang-1.13_1.13~beta1-3.debian.tar.xz
05f4ca6729d62bf06c12ed6fefe6b010 6605 devel optional golang-1.13_1.13~beta1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAl1YeDUACgkQEwLx8Dbr
6xkrTw/+NNqia44tqDL1eXimqSGRyTxIVDMwQvrm9a6W0lJRjkT3w3rBRv6EbsLq
Gssc/MJkFWw42xIJIAlPPzZVgpFvtrttsegq+D7zMRE0zlxUYUnYSns0dZ43bqLW
vMZXcePkPCUd5n29jHvHOkb4p93FzBYr5uE8ITnJagFPmAaCSaFXaYfYybP6wHGe
wa9AixMmoIUUPVg/UuBmVBfy0JW/cSkzbdw9eoZAYxZB5zYuvg+nyIm8rEEjLa4r
wmv5j4iNQG4nmS/7OK9CqsJ233tv1KghUte3NR3zMBh8n2j4sWN/26yrlgCZnrF2
7QTuNymmgZopA4XoW2GgVnfYr50YQtU3VzUELeYGd5JGyePDYmxOIIkbiiGImY7O
PtKKVa/o+TnPey6jlvywQbgTnlfCOIfJwGwApUenwhOv2XTluxN9TFtfmil5PcKP
pjidj0qnJbFzfrWowFcqqb1uoAojXmJ5ljBHDsxC0k84ded5DhOPhckWkhRawJqd
XZ5MizUOQEjxTYHeFIM2QNQMmROB8gbnzrjW7SXnwZSE5doJln5WBku1I78bKMYk
GtuplnsrIv49sPOIE6JztsWw75/x8rYFk3WwfmjJ9FcGlwx733POuqC+jtOtW2ty
odo9uQAe7JI43WB+4/TH0rOmAR5f5BToWiVztZ0J+F33c9MmBxk=
=IK0n
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Aug 18 09:35:16 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon