CVE-2019-17596
First published: Fri Oct 18 2019(Updated: )
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang Go | >=1.12<1.12.11 | |
| Golang Go | >=1.13<1.13.2 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Redhat Developer Tools | =1.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Server | =8.1 | |
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =15.1 | |
| Arista CloudVision Portal | >=2018.1.0<=2018.2.3 | |
| Arista CloudVision Portal | =2019.1.0 | |
| Arista CloudVision Portal | =2019.1.1 | |
| Arista CloudVision Portal | =2019.1.2 | |
| Arista Terminattr | <=1.7.2 | |
| Arista EOS | <=4.23.1f | |
| Arista MOS | <=0.25 | |
| redhat/go | <1.13.2 | 1.13.2 |
| redhat/go | <1.12.11 | 1.12.11 |
| debian/golang-1.11 | 1.11.6-1+deb10u4 1.11.6-1+deb10u7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html
- https://access.redhat.com/errata/RHSA-2020:0101
- https://access.redhat.com/errata/RHSA-2020:0329
- https://github.com/golang/go/issues/34960
- https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5VS3HPSE25ZSGS4RSOTADC67YNOHIGVV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WVOWGM7IQGRO7DS2MCUMYZRQ4TYOZNAS/
- https://security.netapp.com/advisory/ntap-20191122-0005/
- https://www.arista.com/en/support/advisories-notices/security-advisories/10134-security-advisory-46
- https://www.debian.org/security/2019/dsa-4551
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1763311
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1763312
- https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73
- https://github.com/golang/go/commit/4cabf6992e98f74a324e6f814a7cb35e41b05f25
- https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
- https://access.redhat.com/security/cve/cve-2019-17596
- https://bugzilla.redhat.com/show_bug.cgi?id=1763310
- https://golang.org/issue/34960
- https://github.com/golang/go/issues/34962
- https://github.com/golang/go/issues/34961
- https://security-tracker.debian.org/tracker/CVE-2019-17596
Frequently Asked Questions
What is CVE-2019-17596?
CVE-2019-17596 is a vulnerability in Go before 1.12.11 and 1.3.x before 1.13.2 that can cause a panic when processing network traffic with an invalid DSA public key.
What is the severity of CVE-2019-17596?
The severity of CVE-2019-17596 is high with a severity value of 7.5.
Which software versions are affected by CVE-2019-17596?
Versions 1.11.6-1+deb10u4, 1.11.6-1+deb10u7, 1.13.2, and versions between 1.12 and 1.12.11 (inclusive) are affected.
How can CVE-2019-17596 be exploited?
CVE-2019-17596 can be exploited by sending network traffic with an invalid DSA public key, leading to a panic in the Go application.
Where can I find more information about CVE-2019-17596?
More information about CVE-2019-17596 can be found at the following references: [1](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html), [2](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html), [3](https://access.redhat.com/errata/RHSA-2020:0101)
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-17596
- agent/software-canonical-lookup
- collector/security-tracker-debian
- vendor/golang
- canonical/golang go
- version/golang go/1.12
- version/golang go/1.13
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/redhat
- canonical/redhat developer tools
- version/redhat developer tools/1.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/8.1
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/15.1
- vendor/arista
- canonical/arista cloudvision portal
- version/arista cloudvision portal/2018.1.0
- version/arista cloudvision portal/2018.2.3
- version/arista cloudvision portal/2019.1.0
- version/arista cloudvision portal/2019.1.1
- version/arista cloudvision portal/2019.1.2
- canonical/arista terminattr
- version/arista terminattr/1.7.2
- canonical/arista eos
- version/arista eos/4.23.1f
- canonical/arista mos
- version/arista mos/0.25
- package-manager/redhat
- package-manager/debian