ALT-PU-2019-2807-1
Closed vulnerabilities
Published: 2019-01-24
BDU:2019-00688
Уязвимость модуля crypto языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2019-08-13
BDU:2019-02995
Уязвимость реализации сетевого протокола HTTP/2 операционных систем Windows, веб-сервера Apache Traffic Server, веб-сервера H2O, сетевых программных средств netty, SwiftNIO, Envoy, программной платформы Node.js позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2019-08-13
BDU:2019-02996
Уязвимость реализации сетевого протокола HTTP/2 операционных систем Windows, веб-сервера Apache Traffic Server, веб-сервера H2O, сетевых программных средств netty, SwiftNIO, Envoy, программной платформы Node.js позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2019-08-13
BDU:2019-03595
Уязвимость функции net/url языка программирования GO, позволяющая нарушителю оказать воздействие на целостность данных, получить несанкционированный доступ к защищаемой информации, а также вызвать отказ в обслуживании
Severity: CRITICAL (9.8)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2019-08-14
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-14809
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
Severity: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- openSUSE-SU-2019:2000
- openSUSE-SU-2019:2000
- openSUSE-SU-2019:2056
- openSUSE-SU-2019:2056
- openSUSE-SU-2019:2072
- openSUSE-SU-2019:2072
- openSUSE-SU-2019:2085
- openSUSE-SU-2019:2085
- openSUSE-SU-2019:2130
- openSUSE-SU-2019:2130
- RHSA-2019:3433
- RHSA-2019:3433
- https://github.com/golang/go/issues/29098
- https://github.com/golang/go/issues/29098
- https://groups.google.com/forum/#%21topic/golang-announce/0uuMm1BwpHE
- https://groups.google.com/forum/#%21topic/golang-announce/0uuMm1BwpHE
- https://groups.google.com/forum/#%21topic/golang-announce/65QixT3tcmg
- https://groups.google.com/forum/#%21topic/golang-announce/65QixT3tcmg
- FEDORA-2019-65db7ad6c7
- FEDORA-2019-65db7ad6c7
- FEDORA-2019-55d101a740
- FEDORA-2019-55d101a740
- 20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update
- 20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update
- DSA-4503
- DSA-4503
Published: 2019-01-24
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-6486
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
Severity: HIGH (8.2)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
References:
- openSUSE-SU-2019:1164
- openSUSE-SU-2019:1444
- openSUSE-SU-2019:1499
- openSUSE-SU-2019:1506
- 106740
- https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360
- https://github.com/golang/go/issues/29903
- https://github.com/google/wycheproof
- https://groups.google.com/forum/#%21topic/golang-announce/mVeX35iXuSw
- [debian-lts-announce] 20190206 [SECURITY] [DLA 1664-1] golang security update
- DSA-4379
- DSA-4380
- openSUSE-SU-2019:1164
- DSA-4380
- DSA-4379
- [debian-lts-announce] 20190206 [SECURITY] [DLA 1664-1] golang security update
- https://groups.google.com/forum/#%21topic/golang-announce/mVeX35iXuSw
- https://github.com/google/wycheproof
- https://github.com/golang/go/issues/29903
- https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360
- 106740
- openSUSE-SU-2019:1506
- openSUSE-SU-2019:1499
- openSUSE-SU-2019:1444
Published: 2019-08-14
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-9512
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- https://www.synology.com/security/advisory/Synology_SA_19_33
- openSUSE-SU-2019:2000
- openSUSE-SU-2019:2056
- openSUSE-SU-2019:2072
- openSUSE-SU-2019:2085
- openSUSE-SU-2019:2115
- openSUSE-SU-2019:2114
- openSUSE-SU-2019:2130
- 20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
- [oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514
- RHSA-2019:2594
- RHSA-2019:2661
- RHSA-2019:2682
- RHSA-2019:2690
- RHSA-2019:2726
- RHSA-2019:2766
- RHSA-2019:2769
- RHSA-2019:2796
- RHSA-2019:2861
- RHSA-2019:2925
- RHSA-2019:2939
- RHSA-2019:2955
- RHSA-2019:2966
- RHSA-2019:3131
- RHSA-2019:3245
- RHSA-2019:3265
- RHSA-2019:3892
- RHSA-2019:3906
- RHSA-2019:4018
- RHSA-2019:4019
- RHSA-2019:4020
- RHSA-2019:4021
- RHSA-2019:4040
- RHSA-2019:4041
- RHSA-2019:4042
- RHSA-2019:4045
- RHSA-2019:4269
- RHSA-2019:4273
- RHSA-2019:4352
- RHSA-2020:0406
- RHSA-2020:0727
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
- VU#605641
- https://kc.mcafee.com/corporate/index?page=content&id=SB10296
- [trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- [trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- [trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- [debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update
- FEDORA-2019-65db7ad6c7
- FEDORA-2019-6a2980de56
- FEDORA-2019-5a6a7bc12c
- FEDORA-2019-55d101a740
- 20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
- 20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update
- 20190825 [SECURITY] [DSA 4508-1] h2o security update
- 20190910 [SECURITY] [DSA 4520-1] trafficserver security update
- https://security.netapp.com/advisory/ntap-20190823-0001/
- https://security.netapp.com/advisory/ntap-20190823-0004/
- https://security.netapp.com/advisory/ntap-20190823-0005/
- https://support.f5.com/csp/article/K98053339
- https://support.f5.com/csp/article/K98053339?utm_source=f5support&%3Butm_medium=RSS
- USN-4308-1
- DSA-4503
- DSA-4508
- DSA-4520
- https://www.synology.com/security/advisory/Synology_SA_19_33
- DSA-4520
- DSA-4508
- DSA-4503
- USN-4308-1
- https://support.f5.com/csp/article/K98053339?utm_source=f5support&%3Butm_medium=RSS
- https://support.f5.com/csp/article/K98053339
- https://security.netapp.com/advisory/ntap-20190823-0005/
- https://security.netapp.com/advisory/ntap-20190823-0004/
- https://security.netapp.com/advisory/ntap-20190823-0001/
- 20190910 [SECURITY] [DSA 4520-1] trafficserver security update
- 20190825 [SECURITY] [DSA 4508-1] h2o security update
- 20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update
- 20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
- FEDORA-2019-55d101a740
- FEDORA-2019-5a6a7bc12c
- FEDORA-2019-6a2980de56
- FEDORA-2019-65db7ad6c7
- [debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update
- [trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- [trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- [trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- https://kc.mcafee.com/corporate/index?page=content&id=SB10296
- VU#605641
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
- RHSA-2020:0727
- RHSA-2020:0406
- RHSA-2019:4352
- RHSA-2019:4273
- RHSA-2019:4269
- RHSA-2019:4045
- RHSA-2019:4042
- RHSA-2019:4041
- RHSA-2019:4040
- RHSA-2019:4021
- RHSA-2019:4020
- RHSA-2019:4019
- RHSA-2019:4018
- RHSA-2019:3906
- RHSA-2019:3892
- RHSA-2019:3265
- RHSA-2019:3245
- RHSA-2019:3131
- RHSA-2019:2966
- RHSA-2019:2955
- RHSA-2019:2939
- RHSA-2019:2925
- RHSA-2019:2861
- RHSA-2019:2796
- RHSA-2019:2769
- RHSA-2019:2766
- RHSA-2019:2726
- RHSA-2019:2690
- RHSA-2019:2682
- RHSA-2019:2661
- RHSA-2019:2594
- [oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514
- 20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
- openSUSE-SU-2019:2130
- openSUSE-SU-2019:2114
- openSUSE-SU-2019:2115
- openSUSE-SU-2019:2085
- openSUSE-SU-2019:2072
- openSUSE-SU-2019:2056
- openSUSE-SU-2019:2000
Published: 2019-08-14
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-9514
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- openSUSE-SU-2019:2000
- openSUSE-SU-2019:2056
- openSUSE-SU-2019:2072
- openSUSE-SU-2019:2085
- openSUSE-SU-2019:2115
- openSUSE-SU-2019:2114
- openSUSE-SU-2019:2130
- 20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
- [oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514
- [oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- RHSA-2019:2594
- RHSA-2019:2661
- RHSA-2019:2682
- RHSA-2019:2690
- RHSA-2019:2726
- RHSA-2019:2766
- RHSA-2019:2769
- RHSA-2019:2796
- RHSA-2019:2861
- RHSA-2019:2925
- RHSA-2019:2939
- RHSA-2019:2955
- RHSA-2019:2966
- RHSA-2019:3131
- RHSA-2019:3245
- RHSA-2019:3265
- RHSA-2019:3892
- RHSA-2019:3906
- RHSA-2019:4018
- RHSA-2019:4019
- RHSA-2019:4020
- RHSA-2019:4021
- RHSA-2019:4040
- RHSA-2019:4041
- RHSA-2019:4042
- RHSA-2019:4045
- RHSA-2019:4269
- RHSA-2019:4273
- RHSA-2019:4352
- RHSA-2020:0406
- RHSA-2020:0727
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
- VU#605641
- https://kc.mcafee.com/corporate/index?page=content&id=SB10296
- [trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- [trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- [trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- [debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update
- FEDORA-2019-65db7ad6c7
- FEDORA-2019-6a2980de56
- FEDORA-2019-5a6a7bc12c
- FEDORA-2019-55d101a740
- 20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
- 20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update
- 20190825 [SECURITY] [DSA 4508-1] h2o security update
- 20190910 [SECURITY] [DSA 4520-1] trafficserver security update
- https://security.netapp.com/advisory/ntap-20190823-0001/
- https://security.netapp.com/advisory/ntap-20190823-0004/
- https://security.netapp.com/advisory/ntap-20190823-0005/
- https://support.f5.com/csp/article/K01988340
- https://support.f5.com/csp/article/K01988340?utm_source=f5support&%3Butm_medium=RSS
- USN-4308-1
- DSA-4503
- DSA-4508
- DSA-4520
- DSA-4669
- https://www.synology.com/security/advisory/Synology_SA_19_33
- openSUSE-SU-2019:2000
- https://www.synology.com/security/advisory/Synology_SA_19_33
- DSA-4669
- DSA-4520
- DSA-4508
- DSA-4503
- USN-4308-1
- https://support.f5.com/csp/article/K01988340?utm_source=f5support&%3Butm_medium=RSS
- https://support.f5.com/csp/article/K01988340
- https://security.netapp.com/advisory/ntap-20190823-0005/
- https://security.netapp.com/advisory/ntap-20190823-0004/
- https://security.netapp.com/advisory/ntap-20190823-0001/
- 20190910 [SECURITY] [DSA 4520-1] trafficserver security update
- 20190825 [SECURITY] [DSA 4508-1] h2o security update
- 20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update
- 20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
- FEDORA-2019-55d101a740
- FEDORA-2019-5a6a7bc12c
- FEDORA-2019-6a2980de56
- FEDORA-2019-65db7ad6c7
- [debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update
- [trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- [trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- [trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks
- https://kc.mcafee.com/corporate/index?page=content&id=SB10296
- VU#605641
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
- RHSA-2020:0727
- RHSA-2020:0406
- RHSA-2019:4352
- RHSA-2019:4273
- RHSA-2019:4269
- RHSA-2019:4045
- RHSA-2019:4042
- RHSA-2019:4041
- RHSA-2019:4040
- RHSA-2019:4021
- RHSA-2019:4020
- RHSA-2019:4019
- RHSA-2019:4018
- RHSA-2019:3906
- RHSA-2019:3892
- RHSA-2019:3265
- RHSA-2019:3245
- RHSA-2019:3131
- RHSA-2019:2966
- RHSA-2019:2955
- RHSA-2019:2939
- RHSA-2019:2925
- RHSA-2019:2861
- RHSA-2019:2796
- RHSA-2019:2769
- RHSA-2019:2766
- RHSA-2019:2726
- RHSA-2019:2690
- RHSA-2019:2682
- RHSA-2019:2661
- RHSA-2019:2594
- [oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514
- 20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
- openSUSE-SU-2019:2130
- openSUSE-SU-2019:2114
- openSUSE-SU-2019:2115
- openSUSE-SU-2019:2085
- openSUSE-SU-2019:2072
- openSUSE-SU-2019:2056