Vulnerability CVE-2019-17596: Information

Description

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17596

Published: Oct. 25, 2019

Modified: Nov. 7, 2023

Error type identifier: CWE-436

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
golang	sisyphus	1.13.4-alt1	1.22.2-alt1	ALT-PU-2019-3098-1	240373	Fixed
golang	p10	1.13.4-alt1	1.21.9-alt1	ALT-PU-2019-3098-1	240373	Fixed
golang	p9	1.12.13-alt1	1.15.15-alt1	ALT-PU-2019-3110-1	240372	Fixed
golang	p8	1.12.13-alt1	1.12.17-alt1	ALT-PU-2019-3111-1	240374	Fixed
golang	c10f1	1.13.4-alt1	1.21.9-alt1	ALT-PU-2019-3098-1	240373	Fixed
golang	c9f2	1.12.13-alt1	1.20.11-alt1	ALT-PU-2019-3110-1	240372	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://github.com/golang/go/issues/34960	Exploit Issue Tracking Patch Third Party Advisory
https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ	Release Notes Third Party Advisory
DSA-4551	Third Party Advisory
openSUSE-SU-2019:2521	Mailing List Third Party Advisory
openSUSE-SU-2019:2522	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20191122-0005/	Third Party Advisory
RHSA-2020:0101	Third Party Advisory
RHSA-2020:0329	Third Party Advisory
[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update	Mailing List Third Party Advisory
[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update	Mailing List Third Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/10134-security-advisory-46	Third Party Advisory
FEDORA-2019-4593120208
FEDORA-2019-34e097c66c

Affected configurations:
1. Configuration 1
  cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
  Start including
  1.13
  End excliding
  1.13.2
  cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
  Start including
  1.12
  End excliding
  1.12.11
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:a:redhat:developer_tools:1.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:8.1:*:*:*:*:*:*:*
  
  Configuration 5
  cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
  cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
  
  Configuration 6
  cpe:2.3:o:arista:mos:*:*:*:*:*:*:*:*
  End including
  0.25
  cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*
  End including
  4.23.1f
  cpe:2.3:a:arista:cloudvision_portal:2019.1.2:*:*:*:*:*:*:*
  cpe:2.3:a:arista:cloudvision_portal:2019.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:arista:cloudvision_portal:2019.1.0:*:*:*:*:*:*:*
  cpe:2.3:a:arista:cloudvision_portal:*:*:*:*:*:*:*:*
  Start including
  2018.1.0
  End including
  2018.2.3
  cpe:2.3:a:arista:terminattr:*:*:*:*:*:*:*:*
  End including
  1.7.2

Version: v24.5.0

Vulnerability CVE-2019-17596: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Configuration 6