Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to Go 1.12.10 and 1.13.1 (CVE-2019-16276) #6406

Closed
anthonyfok opened this issue Oct 9, 2019 · 0 comments · Fixed by #6407
Milestone

Comments

@anthonyfok
Copy link
Contributor

@anthonyfok anthonyfok commented Oct 9, 2019

[security] Go 1.13.1 and Go 1.12.10 are released
https://groups.google.com/forum/#!msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ

Hi gophers,

We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1).

net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

The issue is CVE-2019-16276 and Go issue golang.org/issue/34540.

Thanks to Andrew Stucki, Adam Scarr (99designs.com), and Jan Masarik (masarik.sh) for discovering and reporting this issue.

Downloads are available at https://golang.org/dl for all supported platforms.

Alla prossima,
Filippo on behalf of the Go team

@bep I noticed that you upgraded the bepsays/ci-goreleaser image too last time when you updated Go, so I thought I'd better let you do the Go version update instead of me blindly changing .travis.yml. Many thanks!

@anthonyfok anthonyfok added this to the v0.59 milestone Oct 9, 2019
@anthonyfok anthonyfok changed the title Update to Go 1.12.10 and Go 1.13.1 (CVE-2019-16276) Update to Go 1.12.10 and 1.13.1 (CVE-2019-16276) Oct 9, 2019
bep added a commit to bep/hugo that referenced this issue Oct 9, 2019
@bep bep closed this in #6407 Oct 10, 2019
bep added a commit that referenced this issue Oct 10, 2019
Fixes #6406
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.