x/vulndb: potential Go vuln in "Go Standard Library (package not identified)": CVE-2019-11840

[GoVulnBot]

In CVE-2019-11840, the reference URL [Go Standard Library (package not identified)](Go Standard Library (package not identified)) (and possibly others) refers to something in Go.

module: std
package: Go Standard Library (package not identified)
description: |
  An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.
cves:
- CVE-2019-11840
links:
  context:
  - https://bugzilla.redhat.com/show_bug.cgi?id=1691529
  - https://go.dev/issue/30965
  - https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
  - https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ
  - https://lists.debian.org/debian-lts-announce/2019/06/msg00029.html
  - https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html
  - https://lists.debian.org/debian-lts-announce/2020/11/msg00016.html
  - https://lists.debian.org/debian-lts-announce/2020/11/msg00030.html
  - https://lists.debian.org/debian-lts-announce/2021/01/msg00015.html

See doc/triage.md
for instructions on how to triage this report.

[gopherbot]

Change https://go.dev/cl/415276 mentions this issue: x/vulndb: add reports/GO-2022-0209.yaml for CVE-2019-11840

[tatianab]

We need to update the CVE record associated with this vulnerability so that it contains the fixed versions

[tatianab]

Requested update to CVE