Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-17596

Source

Debian Bug report logs - #942628
golang-1.13: CVE-2019-17596: invalid public key causes panic in dsa.Verify

Package: src:golang-1.13; Maintainer for src:golang-1.13 is Go Compiler Team <team+go-compiler@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 19 Oct 2019 06:27:01 UTC

Severity: grave

Tags: security, upstream

Found in version golang-1.13/1.13.1-1

Fixed in version golang-1.13/1.13.3-1

Done: toddy@debian.org (Dr. Tobias Quathamer)

Forwarded to https://github.com/golang/go/issues/34962

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>:
Bug#942628; Package src:golang-1.13. (Sat, 19 Oct 2019 06:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>. (Sat, 19 Oct 2019 06:27:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: golang-1.13
Version: 1.13.1-1
Severity: grave
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:golang-1.12 1.12.10-1
Control: retitle -2 golang-1.13: CVE-2019-17596: invalid public key causes panic in dsa.Verify
Control: forwarded -1 https://github.com/golang/go/issues/34962
Control: forwarded -2 https://github.com/golang/go/issues/34961

Hi,

The following vulnerability was published for golang-1.13.

CVE-2019-17596[0]:
crypto/dsa: invalid public key causes panic in dsa.Verify

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-17596
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596
[1] https://github.com/golang/go/issues/34962
[2] https://github.com/golang/go/issues/34961
[3] https://github.com/golang/go/issues/34960

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug 942628 cloned as bug 942629 Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sat, 19 Oct 2019 06:27:04 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/golang/go/issues/34962'. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sat, 19 Oct 2019 06:27:07 GMT) (full text, mbox, link).

Reply sent to toddy@debian.org (Dr. Tobias Quathamer):
You have taken responsibility. (Sat, 19 Oct 2019 12:09:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 19 Oct 2019 12:09:03 GMT) (full text, mbox, link).

Message #14 received at 942628-close@bugs.debian.org (full text, mbox, reply):

Source: golang-1.13
Source-Version: 1.13.3-1

We believe that the bug you reported is fixed in the latest version of
golang-1.13, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 942628@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated golang-1.13 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 19 Oct 2019 13:30:36 +0200
Source: golang-1.13
Architecture: source
Version: 1.13.3-1
Distribution: unstable
Urgency: medium
Maintainer: Go Compiler Team <team+go-compiler@tracker.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Closes: 942628
Changes:
 golang-1.13 (1.13.3-1) unstable; urgency=medium
 .
   * New upstream version 1.13.3
     - Refresh patch
     - crypto/dsa: invalid public key causes panic in dsa.Verify.
       Fixes CVE-2019-17596. Closes: #942628
   * Update Standards-Version to 4.4.1, no changes needed
Checksums-Sha1:
 ffd4f399be0b601b6d19f367423bb334408d00de 2848 golang-1.13_1.13.3-1.dsc
 1fdfd1586888d4d24f5dadee6016092f89e6049e 21618379 golang-1.13_1.13.3.orig.tar.gz
 71354e37d6380fca61ee10a0922661fe8fe5c7b7 819 golang-1.13_1.13.3.orig.tar.gz.asc
 9282a793d3a750967c8825978dcd3c01ea7ccc59 34168 golang-1.13_1.13.3-1.debian.tar.xz
 27ddba6e9c0e2edd4c5e2f76061aabd589de9a18 6542 golang-1.13_1.13.3-1_amd64.buildinfo
Checksums-Sha256:
 1af77d2830097e986e50d8952a3d6c6bad60b1adec27d237d91c305d8b8e7d66 2848 golang-1.13_1.13.3-1.dsc
 4f7123044375d5c404280737fbd2d0b17064b66182a65919ffe20ffe8620e3df 21618379 golang-1.13_1.13.3.orig.tar.gz
 2a7c3786a48ec76790f780d35def629e8b773362ea1b85f4ebebd8538c55df91 819 golang-1.13_1.13.3.orig.tar.gz.asc
 7c7cf2ffce8028eb1669748d60e5918b039940b0b093b29f9a297f854780a38c 34168 golang-1.13_1.13.3-1.debian.tar.xz
 f2370a67c474fb3e5445ba84194bbfd98096c9d8bc9a157e2094169256354bd2 6542 golang-1.13_1.13.3-1_amd64.buildinfo
Files:
 c322cf6fbc7352036701e050aef23bf8 2848 devel optional golang-1.13_1.13.3-1.dsc
 94ae8bf6a4fe623e34cb8b0db2a71ec0 21618379 devel optional golang-1.13_1.13.3.orig.tar.gz
 35a89bc604faed9bc3a2caba6d897b53 819 devel optional golang-1.13_1.13.3.orig.tar.gz.asc
 655497421e2ee72c9279614ea78b3b60 34168 devel optional golang-1.13_1.13.3-1.debian.tar.xz
 80911b1ba1224f109e26695d17fa14d2 6542 devel optional golang-1.13_1.13.3-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAl2q9uoACgkQEwLx8Dbr
6xmU6A/+O6L7UcbJqKjCDQ8EQRjGvKZIQlTDuqf0WWgp6JrYfKIgZB50MzNloVfH
2g08XH9N6uzJWdZs2DoR0P4XN9pG5jMJm8fgC5LMFrwQ7SmNV85OU4gu44Lh9yJm
+neon+D9GtD4MNy1VtKD+yVKZ+fmfeN5aF4wSTHaBxwGO78v05so+7EV7lJSorpi
QW2oNSCj6kTmZogOWuQgoCnDQCunTHVVKE8DE7Pxfvo4YKXLdcQtrewtx31AxiD/
1lMwxscEXVMHih7dgWTL3hXriT33P8w/naDVh74NVqX53ePIaybyP7vtFAzUc2Ap
wJq8uKKD64eftpCt/RS1qjr2v0ZacEszJea42/RbGm2lEEYBMr7QzgpTIm5hxpEg
2g+8F9xZ7G1tPeRNRIIigURfFC4WnSTG/uoXfq7zdRQDSgoQz7cHcmp/FErxVkkB
dDO5GZu2Glainjmo963jJDp6I5RglXLtKtOknOKX/V7UMjJhE7p+mNN3wDq3ALtk
UxiFMLXrWde3fdYJW1eTSbSB8vqeEL3CettDF2VosNYs2gH01CSHgUK+HZ4n6Ppf
VYcVP7N00WJ59Iv8ygUOzbNHgOXlXp0ZpUPyjkm9XjjC28Wccwu5TAspi1ydtPEM
nHvTmkQzZoVQuUSl3ii7LalBEKi4kBus/Ql5Mvqr7VTf5AZAxfo=
=2TOx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Oct 19 16:47:40 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

golang-1.13: CVE-2019-17596: invalid public key causes panic in dsa.Verify

Debian Bug report logs - #942628
golang-1.13: CVE-2019-17596: invalid public key causes panic in dsa.Verify

Vulmon Search

About

Products

Connect

golang-1.13: CVE-2019-17596: invalid public key causes panic in dsa.Verify

Debian Bug report logs - #942628 golang-1.13: CVE-2019-17596: invalid public key causes panic in dsa.Verify

Vulmon Search

About

Products

Connect

Debian Bug report logs - #942628
golang-1.13: CVE-2019-17596: invalid public key causes panic in dsa.Verify