CVE-2019-17596 log

Source
Severity Medium
Remote Yes
Type Denial of service
Description
Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.

Moreover, an application might crash invoking crypto/x509.(*CertificateRequest) CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.
Group Package Affected Fixed Severity Status Ticket
AVG-1051 go, go-pie 2:1.13.1-1 2:1.13.3-1 Medium Fixed
Date Advisory Group Package Severity Type
21 Oct 2019 ASA-201910-12 AVG-1051 go Medium denial of service
21 Oct 2019 ASA-201910-11 AVG-1051 go-pie Medium denial of service
References
https://github.com/golang/go/issues/34960