As announced by Go upstream on 2019-09-25: net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications Reference: https://github.com/golang/go/issues/34540
Created golang tracking bugs for this issue: Affects: epel-all [bug 1755971] Affects: fedora-all [bug 1755970]
External References: https://groups.google.com/forum/#!msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
Upstream fix: https://github.com/golang/go/commit/41b1f88efab9d263408448bf139659119002ea50 [master branch] https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8 [release-branch.go1.12 branch] https://github.com/golang/go/commit/5a6ab1ec3e678640befebeb3318b746a64ad986c [release-branch.go1.13 branch]
Function ReadMIMEHeader() in src/net/textproto/reader.go was trying to parse headers where the colon between the key and the value is preceded by trailing whitespaces, trying to be more flexible. However, this could be abused in some particular settings to smuggle HTTP requests, so the patch makes the parsing less flexible, in favor of more consistent behavior.
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2020:0101 https://access.redhat.com/errata/RHSA-2020:0101
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16276
Statement: * This issue affects the versions of golang as shipped with Red Hat Enterprise Linux 7, however it was deprecated in Red Hat Enterprise Linux 7.6 and it does not receive updates anymore. Developers are encouraged to use the Go Toolset instead, which is available through the Red Hat Developer program. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/chap-red_hat_enterprise_linux-7.6_release_notes-other_deprecated_functionality#idm140555585405248. * The version of golang provided in Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3 allows filter bypasses or request smuggling and contains the vulnerable code hence affected by this vulnerability. * In OpenShift Container Platform, all packages and container images built with a vulnerable version of Go and use the net/http package are affected by this flaw.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0329 https://access.redhat.com/errata/RHSA-2020:0329
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:0652 https://access.redhat.com/errata/RHSA-2020:0652