Bug 1250352 - (CVE-2015-5739, CVE-2015-5740, CVE-2015-5741) CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library
CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in n...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150729,repor...
: Security
Depends On: 1250353 1250374 1327920 1327921 1337410
Blocks: 1250364 1323912
  Show dependency treegraph
 
Reported: 2015-08-05 04:38 EDT by Adam Mariš
Modified: 2016-12-05 11:02 EST (History)
25 users (show)

See Also:
Fixed In Version: golang 1.4.3, golang 1.5
Doc Type: Bug Fix
Doc Text:
HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries. Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted). A non-authenticated attacker could exploit these flaws to bypass security controls, perform web-cache poisoning, or alter the request/response map (denial of service).
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-05 11:02:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-05 04:38:44 EDT
There have been found potentially exploitable flaws in Golang net/http library affecting versions 1.4.2 and 1.5.

Problems:
* Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored.
* Invalid headers are parsed as valid headers (like "Content Length:" with a space in the middle)

Exploitations:
In a situation where the net/http agent HTTP communication with the final
http clients is using some reverse proxy (reverse proxy cache, SSL
terminators, etc), some requests can be made exploiting the net/http HTTP
protocol violations.

Attacker could possibly:
* bypass security controls on theses previous elements
* perform some cache poisoning on these elements
* alter the request/response map on these previous elements (for DOS)

CVE request:
http://seclists.org/oss-sec/2015/q3/237

Upstream patches:
https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f
https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e
Comment 1 Adam Mariš 2015-08-05 04:39:24 EDT
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 1250353]
Comment 2 Adam Mariš 2015-08-05 05:03:59 EDT
Created golang tracking bugs for this issue:

Affects: epel-6 [bug 1250374]
Comment 3 Vincent Batts 2015-08-05 17:10:18 EDT
is https://github.com/golang/go/commit/26049f6f9171d1190f3bbe05ec304845cfe6399f also to be included?
Comment 5 Martin Prpic 2015-08-06 05:28:54 EDT
(In reply to Vincent Batts from comment #3)
> is
> https://github.com/golang/go/commit/26049f6f9171d1190f3bbe05ec304845cfe6399f
> also to be included?

I requested one in http://seclists.org/oss-sec/2015/q3/299
Comment 6 Vincent Batts 2015-08-06 08:40:43 EDT
(In reply to Martin Prpic from comment #5)
> (In reply to Vincent Batts from comment #3)
> > is
> > https://github.com/golang/go/commit/26049f6f9171d1190f3bbe05ec304845cfe6399f
> > also to be included?
> 
> I requested one in http://seclists.org/oss-sec/2015/q3/299

Thanks. This commit does not apply directly for go1.4.2 presently. I'm investigating that.
Comment 7 Fedora Update System 2015-08-18 01:21:45 EDT
golang-1.4.2-3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-08-18 01:23:01 EDT
golang-1.4.2-3.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-10-01 14:50:56 EDT
golang-1.5.1-0.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2015-10-01 14:56:32 EDT
golang-1.5.1-0.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-10-01 16:22:56 EDT
golang-1.5.1-0.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.