An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. Reference: https://github.com/golang/go/issues/30794
Created golang tracking bugs for this issue: Affects: fedora-all [bug 1688233]
Created golang tracking bugs for this issue: Affects: epel-all [bug 1688234]
Upstream fixes for Go 1.12.1: https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca#diff-b97af51863ce82bf2a13003b52034aa9 https://github.com/golang/go/commit/f1d662f34788f4a5f087581d0951cdf4e0f6e708#diff-b97af51863ce82bf2a13003b52034aa9
Statement: This issue affects the versions of golang as shipped with Red Hat Ceph Storage 2 and 3, and Red Hat Gluster Storage 3 as the vulnerable code is present.
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2019:1300 https://access.redhat.com/errata/RHSA-2019:1300
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1519 https://access.redhat.com/errata/RHSA-2019:1519
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9741