Security update for go1.12 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2056-1 Final 1 1 2019-09-02T12:21:15Z current 2019-09-02T12:21:15Z 2019-09-02T12:21:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.12 This update for go1.12 fixes the following issues: Security issues fixed: - CVE-2019-9512: Fixed HTTP/2 flood using PING frames that results in unbounded memory growth (bsc#1146111). - CVE-2019-9514: Fixed HTTP/2 implementation that is vulnerable to a reset flood, potentially leading to a denial of service (bsc#1146115). - CVE-2019-14809: Fixed malformed hosts in URLs that leads to authorization bypass (bsc#1146123). Bugfixes: - Update to go version 1.12.9 (bsc#1141689). - Adding Web Assembly stuff from misc/wasm (bsc#1139210). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2056 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html E-Mail link for openSUSE-SU-2019:2056-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1139210 SUSE Bug 1139210 https://bugzilla.suse.com/1141689 SUSE Bug 1141689 https://bugzilla.suse.com/1146111 SUSE Bug 1146111 https://bugzilla.suse.com/1146115 SUSE Bug 1146115 https://bugzilla.suse.com/1146123 SUSE Bug 1146123 https://www.suse.com/security/cve/CVE-2019-14809/ SUSE CVE CVE-2019-14809 page https://www.suse.com/security/cve/CVE-2019-9512/ SUSE CVE CVE-2019-9512 page https://www.suse.com/security/cve/CVE-2019-9514/ SUSE CVE CVE-2019-9514 page openSUSE Leap 15.0 openSUSE Leap 15.1 go1.12-1.12.9-lp151.2.13.1 go1.12-doc-1.12.9-lp151.2.13.1 go1.12-race-1.12.9-lp151.2.13.1 go1.12-1.12.9-lp151.2.13.1 as a component of openSUSE Leap 15.0 go1.12-doc-1.12.9-lp151.2.13.1 as a component of openSUSE Leap 15.0 go1.12-race-1.12.9-lp151.2.13.1 as a component of openSUSE Leap 15.0 go1.12-1.12.9-lp151.2.13.1 as a component of openSUSE Leap 15.1 go1.12-doc-1.12.9-lp151.2.13.1 as a component of openSUSE Leap 15.1 go1.12-race-1.12.9-lp151.2.13.1 as a component of openSUSE Leap 15.1 net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. CVE-2019-14809 openSUSE Leap 15.0:go1.12-1.12.9-lp151.2.13.1 openSUSE Leap 15.0:go1.12-doc-1.12.9-lp151.2.13.1 openSUSE Leap 15.0:go1.12-race-1.12.9-lp151.2.13.1 openSUSE Leap 15.1:go1.12-1.12.9-lp151.2.13.1 openSUSE Leap 15.1:go1.12-doc-1.12.9-lp151.2.13.1 openSUSE Leap 15.1:go1.12-race-1.12.9-lp151.2.13.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html https://www.suse.com/security/cve/CVE-2019-14809.html CVE-2019-14809 https://bugzilla.suse.com/1146123 SUSE Bug 1146123 Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CVE-2019-9512 openSUSE Leap 15.0:go1.12-1.12.9-lp151.2.13.1 openSUSE Leap 15.0:go1.12-doc-1.12.9-lp151.2.13.1 openSUSE Leap 15.0:go1.12-race-1.12.9-lp151.2.13.1 openSUSE Leap 15.1:go1.12-1.12.9-lp151.2.13.1 openSUSE Leap 15.1:go1.12-doc-1.12.9-lp151.2.13.1 openSUSE Leap 15.1:go1.12-race-1.12.9-lp151.2.13.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html https://www.suse.com/security/cve/CVE-2019-9512.html CVE-2019-9512 https://bugzilla.suse.com/1145663 SUSE Bug 1145663 https://bugzilla.suse.com/1146099 SUSE Bug 1146099 https://bugzilla.suse.com/1146111 SUSE Bug 1146111 https://bugzilla.suse.com/1147142 SUSE Bug 1147142 Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. CVE-2019-9514 openSUSE Leap 15.0:go1.12-1.12.9-lp151.2.13.1 openSUSE Leap 15.0:go1.12-doc-1.12.9-lp151.2.13.1 openSUSE Leap 15.0:go1.12-race-1.12.9-lp151.2.13.1 openSUSE Leap 15.1:go1.12-1.12.9-lp151.2.13.1 openSUSE Leap 15.1:go1.12-doc-1.12.9-lp151.2.13.1 openSUSE Leap 15.1:go1.12-race-1.12.9-lp151.2.13.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html https://www.suse.com/security/cve/CVE-2019-9514.html CVE-2019-9514 https://bugzilla.suse.com/1145662 SUSE Bug 1145662 https://bugzilla.suse.com/1145663 SUSE Bug 1145663 https://bugzilla.suse.com/1146095 SUSE Bug 1146095 https://bugzilla.suse.com/1146115 SUSE Bug 1146115 https://bugzilla.suse.com/1147142 SUSE Bug 1147142