On Thu 30/01/2020 19:21, Nam Nguyen wrote:
> This is a security fix release that I propose adding to -stable. It
> affects 32-bit arches when dnscrypt-proxy's DNS over HTTPS (DoH) feature
> is used. It was fixed in Go 1.13.7 (now available in ports) and in the
> version of golang.org/x/crypto specified in {WRKSRC}/go.mod.
>
> From issue:
> "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1
> parsing functions of golang.org/x/crypto/cryptobyte can lead to a
> panic."
>
> From Go commit:
> "When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
> overflow could occur, causing a panic, due to malformed ASN.1 being
> passed to any of the ASN1 methods of String."
>
> From changelog:
> "- Security (affecting DoH): precompiled binaries of dnscrypt-proxy
> 2.0.37 are built using Go 1.13.7 that fixes a TLS certificate parsing
> issue present in previous versions of the compiler"
>
> Sources:
> CVE-2020-7919
> https://github.com/golang/go/issues/36837
> https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
> https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1
>
> Changelog:
> https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.38/ChangeLog
>
> This is an update for net/dnscrypt-proxy 2.0.38, released on January 30,
> 2020. I tested on amd64 and unit tests pass.
2.0.39 has been released a couple of hours ago, which fixes the firefox
local DOH service: https://github.com/DNSCrypt/dnscrypt-proxy/releases
No comments:
Post a Comment