Bug 1755969 (CVE-2019-16276)
| Summary: | CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adahiya, admiller, afox, amctagga, amurdaca, anharris, aoconnor, aos-bugs, aos-install, aos-storage-staff, asm, bbennett, bbreard, bmontgom, bniver, bodavis, deparker, dustymabe, dwalsh, emachado, eparis, flucifre, fweimer, gmeno, hgomes, hvyas, imcleod, jakub, jburrell, jcajka, jesusr, jligon, jokerman, jpadman, law, lemenkov, mbenjamin, mhackett, miabbott, mnewsome, mpatel, mpolacek, nstielau, ohudlick, puebele, renich, rphillips, rschiron, sbhavsar, shurley, sisharma, sostapov, sponnaga, tstellar, vbatts, vbellur, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Go 1.13.1, Go 1.12.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-01-14 14:09:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1755970, 1755971, 1759839, 1759840, 1760813, 1760814, 1760815, 1785351, 1785665, 1793751, 1793752, 1793753, 1793754, 1793755, 1793756, 1793757, 1793758, 1793759, 1793760, 1793761, 1793762, 1793764, 1793765, 1793767, 1793768, 1793769, 1793770, 1793771, 1793772, 1793773, 1793774, 1793775, 1793776, 1793777, 1793778, 1793779, 1793780, 1793781, 1793782, 1793783, 1793785, 1793786, 1793788, 1793789, 1793790, 1793791, 1793792, 1793793, 1793794, 1793795, 1793796, 1793797, 1793798, 1793799, 1793800, 1793801, 1793802, 1793809, 1793810, 1793811, 1793812, 1793813, 1793814, 1793815, 1793816, 1793817, 1793818, 1793819, 1793820, 1793821, 1793822, 1793823, 1793824, 1793825, 1793826, 1793827, 1793828, 1793829, 1793830, 1793831, 1793832, 1793833, 1793835, 1793836, 1793837, 1793838, 1793839, 1793840, 1793841, 1793842, 1793843, 1793844, 1793845, 1807699, 1878637 | ||
| Bug Blocks: | 1755973 | ||
|
Description
Dhananjay Arunesh
2019-09-26 14:10:19 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 1755971] Affects: fedora-all [bug 1755970] External References: https://groups.google.com/forum/#!msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ Upstream fix: https://github.com/golang/go/commit/41b1f88efab9d263408448bf139659119002ea50 [master branch] https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8 [release-branch.go1.12 branch] https://github.com/golang/go/commit/5a6ab1ec3e678640befebeb3318b746a64ad986c [release-branch.go1.13 branch] Function ReadMIMEHeader() in src/net/textproto/reader.go was trying to parse headers where the colon between the key and the value is preceded by trailing whitespaces, trying to be more flexible. However, this could be abused in some particular settings to smuggle HTTP requests, so the patch makes the parsing less flexible, in favor of more consistent behavior. This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2020:0101 https://access.redhat.com/errata/RHSA-2020:0101 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16276 Statement: * This issue affects the versions of golang as shipped with Red Hat Enterprise Linux 7, however it was deprecated in Red Hat Enterprise Linux 7.6 and it does not receive updates anymore. Developers are encouraged to use the Go Toolset instead, which is available through the Red Hat Developer program. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/chap-red_hat_enterprise_linux-7.6_release_notes-other_deprecated_functionality#idm140555585405248. * The version of golang provided in Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3 allows filter bypasses or request smuggling and contains the vulnerable code hence affected by this vulnerability. * In OpenShift Container Platform, all packages and container images built with a vulnerable version of Go and use the net/http package are affected by this flaw. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0329 https://access.redhat.com/errata/RHSA-2020:0329 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:0652 https://access.redhat.com/errata/RHSA-2020:0652 |