Bug 2222167 (CVE-2023-29406)

Summary: CVE-2023-29406 golang: net/http: insufficient sanitization of Host header
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abenaiss, abishop, adudiak, aileenc, amasferr, amctagga, ansmith, aoconnor, asm, aveerama, bbaude, bbuckingham, bcl, bcourt, bniver, bodavis, chazlett, davidn, dbenoit, dcadzow, debarshir, desktop-qa-list, dfreiber, dhellmann, dhughes, dkenigsb, dperaza, dsimansk, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, emachado, epacific, eric.wittmann, fdeutsch, flucifre, gmeno, gparvin, grafana-maint, ibolton, jaharrin, janstey, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkoehler, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jpallich, jsherril, jwendell, kshier, lball, lhh, lmadsen, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mcressma, mgarciac, mhackett, mheon, mhulan, mkudlej, mmagr, mnewsome, mrunge, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmoumoul, nobody, opohorel, orabin, oramraz, osapryki, osbuilders, owatkins, pahickey, pantinor, pcreech, peholase, pehunt, periklis, pgrist, pjindal, pthomas, rcernich, rchan, rgarg, rhcos-sst, rhos-maint, rhuss, rjohnson, rogbas, saroy, scorneli, scox, sfroberg, sgott, shbose, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, teagle, tfister, tjochec, tstellar, tsweeney, twalsh, ubhargav, umohnani, vereddy, vkumar, whayutin, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.19.11, golang 1.20.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang, where it is vulnerable to HTTP header injection caused by improper content validation of the Host header by the HTTP/1 client. A remote attacker can inject arbitrary HTTP headers by persuading a victim to visit a specially crafted Web page. This flaw allows the attacker to conduct various attacks against the vulnerable system, including Cross-site scripting, cache poisoning, or session hijacking.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2222293, 2222294, 2222295, 2222297, 2222298, 2222301, 2222303, 2222305, 2222306, 2222307, 2222308, 2222309, 2222310, 2222312, 2222313, 2222314, 2222315, 2222316, 2222317, 2222318, 2222319, 2222320, 2222321, 2222322, 2222323, 2222324, 2222325, 2222329, 2222330, 2222331, 2222332, 2222333, 2222337, 2222338, 2222339, 2222340, 2222341, 2222342, 2222343, 2224490, 2224491, 2222291, 2222296, 2222299, 2222302, 2222304, 2222326, 2222327, 2222328, 2222334, 2222335, 2222336    
Bug Blocks: 2222178    

Description Avinash Hanwate 2023-07-12 06:04:15 UTC 
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
https://go.dev/cl/506996
https://pkg.go.dev/vuln/GO-2023-1878
https://go.dev/issue/60374
Comment 4 Avinash Hanwate 2023-07-21 06:33:30 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2224490]
Affects: fedora-all [bug 2224491]