The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
Created golang tracking bugs for this issue: Affects: fedora-all [bug 2297318]
There is something wrong with this CVE tracker bug. The CVE is in Go's standard net/http package, which is part of the golang RPM. However, I don't see any mention of golang here. I also don't see any mention of prominent RPMs that use Go and might need to rebuilt against a golang, where the CVE is fixed. eg., podman and toolbox. However, I do know about the existence of two toolbox Jira issues that were filed for this CVE: https://issues.redhat.com/browse/RHEL-47194 https://issues.redhat.com/browse/RHEL-47199 So, it seems like something went wrong where this tracker bug doesn't depend on all the corresponding child issues and bugs. This isn't just an academic problem, because I use this metadata to figure out the corresponding golang issues to know when the CVE would get fixed in golang, so that builds can be done against it.
(In reply to Debarshi Ray from comment #12) > There is something wrong with this CVE tracker bug. > > The CVE is in Go's standard net/http package, which is part of the golang > RPM. However, I don't see any mention of golang here. I also don't see any > mention of prominent RPMs that use Go and might need to rebuilt against a > golang, where the CVE is fixed. eg., podman and toolbox. However, I do > know about the existence of two toolbox Jira issues that were filed for this > CVE: > https://issues.redhat.com/browse/RHEL-47194 > https://issues.redhat.com/browse/RHEL-47199 I did some digging, and the corresponding golang bugs are: https://issues.redhat.com/browse/RHEL-47200 https://issues.redhat.com/browse/RHEL-47161
This issue has been addressed in the following products: Cryostat 3 on RHEL 8 Via RHSA-2024:5537 https://access.redhat.com/errata/RHSA-2024:5537
This issue has been addressed in the following products: Cost Management for RHEL 8 Via RHSA-2024:6462 https://access.redhat.com/errata/RHSA-2024:6462
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:6914 https://access.redhat.com/errata/RHSA-2024:6914
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6908 https://access.redhat.com/errata/RHSA-2024:6908
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6913 https://access.redhat.com/errata/RHSA-2024:6913
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:6912 https://access.redhat.com/errata/RHSA-2024:6912
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6969 https://access.redhat.com/errata/RHSA-2024:6969
This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.6.0-RHEL-9 Via RHSA-2024:7074 https://access.redhat.com/errata/RHSA-2024:7074
This issue has been addressed in the following products: OpenShift Custom Metrics Autoscaler 2 Via RHSA-2024:7348 https://access.redhat.com/errata/RHSA-2024:7348
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:7349 https://access.redhat.com/errata/RHSA-2024:7349
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2024:7922 https://access.redhat.com/errata/RHSA-2024:7922
This issue has been addressed in the following products: KDO-5.1-RHEL-9 Via RHSA-2024:6341 https://access.redhat.com/errata/RHSA-2024:6341
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:8260 https://access.redhat.com/errata/RHSA-2024:8260
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:8425 https://access.redhat.com/errata/RHSA-2024:8425
Redirecting needinfo from comment#12.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:8688 https://access.redhat.com/errata/RHSA-2024:8688
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:8692 https://access.redhat.com/errata/RHSA-2024:8692
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:8697 https://access.redhat.com/errata/RHSA-2024:8697
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9089 https://access.redhat.com/errata/RHSA-2024:9089
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9097 https://access.redhat.com/errata/RHSA-2024:9097
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9098 https://access.redhat.com/errata/RHSA-2024:9098
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9102 https://access.redhat.com/errata/RHSA-2024:9102
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9115 https://access.redhat.com/errata/RHSA-2024:9115
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9135 https://access.redhat.com/errata/RHSA-2024:9135
This issue has been addressed in the following products: OSSO-1.2-RHEL-9 Via RHSA-2024:8219 https://access.redhat.com/errata/RHSA-2024:8219
This issue has been addressed in the following products: OADP-1.3-RHEL-9 Via RHSA-2024:9960 https://access.redhat.com/errata/RHSA-2024:9960
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2024:10133 https://access.redhat.com/errata/RHSA-2024:10133
This issue has been addressed in the following products: RHEL-9-CNV-4.13 Via RHSA-2024:10389 https://access.redhat.com/errata/RHSA-2024:10389
This issue has been addressed in the following products: RHEL-8-CNV-4.12 Via RHSA-2024:10758 https://access.redhat.com/errata/RHSA-2024:10758
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.8 Via RHSA-2024:10906 https://access.redhat.com/errata/RHSA-2024:10906
This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2025:0082 https://access.redhat.com/errata/RHSA-2025:0082
This issue has been addressed in the following products: Streams for Apache Kafka 2.9.0 Via RHSA-2025:2416 https://access.redhat.com/errata/RHSA-2025:2416
This issue has been addressed in the following products: RHEL-9-CNV-4.16 Via RHSA-2025:3973 https://access.redhat.com/errata/RHSA-2025:3973
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7256 https://access.redhat.com/errata/RHSA-2025:7256