go: Multiple Vulnerabilities (CVE-2019-9512, CVE-2019-9514, CVE-2019-14809)
CVE-2019-9512, CVE-2019-9514: Denial of Service vulnerabilities in the HTTP/2 implementation
net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.
References:
- https://github.com/golang/go/issues/33606
- https://groups.google.com/forum/m/#!topic/golang-nuts/fCQWxqxP8aA
CVE-2019-14809: Parsing validation issue
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
References:
- https://groups.google.com/forum/m/#!topic/golang-nuts/fCQWxqxP8aA
- https://nvd.nist.gov/vuln/detail/CVE-2019-14809