Improper Certificate Validation The advisory has been revoked - it doesn't affect any version of package golang-src Open this link in a new tab

The Red Hat security team deemed this advisory irrelevant for RHEL:7.

Note: Versions mentioned in the description apply only to the upstream golang-src package and not the golang-src package as distributed by RHEL.

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

• https://github.com/golang/go/issues/34960
• https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
• https://security.netapp.com/advisory/ntap-20191122-0005/
• https://access.redhat.com/security/cve/CVE-2019-17596
• https://www.debian.org/security/2019/dsa-4551
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5VS3HPSE25ZSGS4RSOTADC67YNOHIGVV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WVOWGM7IQGRO7DS2MCUMYZRQ4TYOZNAS/
• https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
• https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
• https://access.redhat.com/errata/RHSA-2020:0101
• https://access.redhat.com/errata/RHSA-2020:0329
• http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html
• http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html
• https://www.arista.com/en/support/advisories-notices/security-advisories/10134-security-advisory-46
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VS3HPSE25ZSGS4RSOTADC67YNOHIGVV/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVOWGM7IQGRO7DS2MCUMYZRQ4TYOZNAS/