Comment 1 GLSAMaker/CVETool Bot 2016-07-20 12:47:29 UTC

CVE-2016-5386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5386):
  The net/http package in Go through 1.6 does not attempt to address RFC 3875
  section 4.1.18 namespace conflicts and therefore does not protect CGI
  applications from the presence of untrusted client data in the HTTP_PROXY
  environment variable, which might allow remote attackers to redirect a CGI
  application's outbound HTTP traffic to an arbitrary proxy server via a
  crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

Comment 2 Aaron Bauman (RETIRED) 2016-07-20 13:28:32 UTC

Upstream patch:

https://github.com/golang/go/commit/cad4e97af8f2e0b9f09b97f67fb3a89ced2e9021

Comment 3 William Hubbs 2016-07-20 13:29:41 UTC

It looks like go1.6.3 fixes this, but we are close to a go 1.7 release
as well.

@security:
Do you want me to bump 1.6.3 or wait for 1.7? Also, will this be a fast
stable?

Comment 4 William Hubbs 2016-07-20 14:01:22 UTC

Go-1.6.3 is in the tree, marked ~arch for now. let me know if we should
fast stable.

Comment 5 Aaron Bauman (RETIRED) 2016-07-20 14:12:46 UTC

@arches, please stabilize:

=dev-lang/go-1.6.3

Comment 6 William Hubbs 2016-07-20 14:21:52 UTC

amd64 done.

Comment 7 Markus Meier 2016-07-24 18:40:54 UTC

arm stable

Comment 8 Agostino Sarubbo 2016-07-28 15:23:53 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 9 William Hubbs 2016-07-28 16:00:43 UTC

Cleanup is completed.

Comment 10 Aaron Bauman (RETIRED) 2016-07-29 07:38:54 UTC

GLSA Vote: No