EulerOS 2.0 SP8 : golang (EulerOS-SA-2020-1804)

Medium Nessus Plugin ID 139134

Synopsis

The remote EulerOS host is missing multiple security updates.

Description

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

- Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.(CVE-2020-15586)

- Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.(CVE-2019-16276)

- Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.(CVE-2019-17596)

- Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.(CVE-2020-7919)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected golang packages.

See Also

http://www.nessus.org/u?04fa1538

Plugin Details

Severity: Medium

ID: 139134

File Name: EulerOS_SA-2020-1804.nasl

Version: 1.2

Type: local

Published: 2020/07/30

Updated: 2020/08/03

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2019-16276

CVSS v2.0

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:golang, p-cpe:/a:huawei:euleros:golang-bin, p-cpe:/a:huawei:euleros:golang-src, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/local_checks_enabled, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp

Excluded KB Items: Host/EulerOS/uvp_version

Exploit Ease: No known exploits are available

Patch Publication Date: 2020/07/30

Reference Information

CVE: CVE-2019-16276, CVE-2019-17596, CVE-2020-15586, CVE-2020-7919