net/http: security fixes for 1.4.3 #12741

broady · 2015-09-24T18:23:46Z

CVE-2015-5739
"Content Length" treated as valid header:
https://go-review.googlesource.com/#/c/11772/

CVE-2015-5740
Double content-length headers does not return 400 error:
https://go-review.googlesource.com/#/c/11810/

CVE-2015-5741
Additional hardening, not sending Content-Length w/Transfer-Encoding,
Closing connections:
https://go-review.googlesource.com/#/c/11810/
https://go-review.googlesource.com/#/c/12865/
https://go-review.googlesource.com/#/c/13148/

The Go team would like to thank Jed Denlea and Régis Leroy for their contributions to this release. They have been awarded 1337 USD under the Google Security Bounty program.

broady · 2015-09-24T18:24:42Z

https://go-review.googlesource.com/#/c/14802/
https://go-review.googlesource.com/#/c/14250/
https://go-review.googlesource.com/#/c/14249/

broady closed this Sep 24, 2015

ianlancetaylor added this to the Go1.4.3 milestone Sep 24, 2015

golang locked and limited conversation to collaborators Sep 24, 2016

gopherbot added the FrozenDueToAge label Sep 24, 2016

dvyukov added the Security label May 15, 2019

golang / go

net/http: security fixes for 1.4.3 #12741

net/http: security fixes for 1.4.3 #12741

broady commented Sep 24, 2015

This comment has been minimized.

broady commented Sep 24, 2015

golang / go

Join GitHub today

net/http: security fixes for 1.4.3 #12741

net/http: security fixes for 1.4.3 #12741

Comments

broady commented Sep 24, 2015

This comment has been minimized.

broady commented Sep 24, 2015