First published: Fri Oct 18 2019(Updated: )
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Golang Go | >=1.12<1.12.11 | |
Golang Go | >=1.13<1.13.2 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Fedoraproject Fedora | =30 | |
Fedoraproject Fedora | =31 | |
Redhat Developer Tools | =1.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux Server | =8.1 | |
openSUSE Leap | =15.0 | |
openSUSE Leap | =15.1 | |
Arista CloudVision Portal | >=2018.1.0<=2018.2.3 | |
Arista CloudVision Portal | =2019.1.0 | |
Arista CloudVision Portal | =2019.1.1 | |
Arista CloudVision Portal | =2019.1.2 | |
Arista Terminattr | <=1.7.2 | |
Arista EOS | <=4.23.1f | |
Arista MOS | <=0.25 | |
redhat/go | <1.13.2 | 1.13.2 |
redhat/go | <1.12.11 | 1.12.11 |
debian/golang-1.11 | 1.11.6-1+deb10u4 1.11.6-1+deb10u7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-17596 is a vulnerability in Go before 1.12.11 and 1.3.x before 1.13.2 that can cause a panic when processing network traffic with an invalid DSA public key.
The severity of CVE-2019-17596 is high with a severity value of 7.5.
Versions 1.11.6-1+deb10u4, 1.11.6-1+deb10u7, 1.13.2, and versions between 1.12 and 1.12.11 (inclusive) are affected.
CVE-2019-17596 can be exploited by sending network traffic with an invalid DSA public key, leading to a panic in the Go application.
More information about CVE-2019-17596 can be found at the following references: [1](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html), [2](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html), [3](https://access.redhat.com/errata/RHSA-2020:0101)