Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 680240 (CVE-2019-9741)

Summary: <dev-lang/go-1.12.1: CRLF injection vulnerability
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: williamh
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1688230
Whiteboard: B4 [noglsa cve]
Package list:
dev-lang/go-1.12.1
 Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2019-03-13 13:48:32 UTC 
From ${URL} :

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the 
second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

Reference:
https://github.com/golang/go/issues/30794



@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 William Hubbs gentoo-dev 2019-03-17 21:11:59 UTC 
Arch teams, please stabilize dev-lang/go-1.12.1.
I will handle amd64.

Thanks,

William
Comment 2 Larry the Git Cow gentoo-dev 2019-03-17 21:31:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09d8a22411e33d1ea7e44df9aa118994c92f2c39

commit 09d8a22411e33d1ea7e44df9aa118994c92f2c39
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2019-03-17 21:24:53 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2019-03-17 21:29:29 +0000

    dev-lang/go: stable 1.12.1 on amd64
    
    Bug: https://bugs.gentoo.org/680240
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.12.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-20 11:33:55 UTC 
arm stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-20 11:35:27 UTC 
(In reply to Mikle Kolyada from comment #3)
> arm stable

hmm no, this says a package list is empty
Comment 5 Markus Meier gentoo-dev 2019-03-20 17:03:29 UTC 
arm stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:21:15 UTC 
x86 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2019-03-27 23:32:24 UTC 
@maintainer, please drop vulnerable.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:46:09 UTC 
x86 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-03-28 03:41:56 UTC 
Maintainer(s), please drop the vulnerable version(s).
Version: 1.11.5
Comment 10 Larry the Git Cow gentoo-dev 2019-03-31 19:13:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e983932e78749663d33aa91cfd0f95491552ab5

commit 4e983932e78749663d33aa91cfd0f95491552ab5
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2019-03-31 19:11:20 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2019-03-31 19:12:49 +0000

    dev-lang/go: remove vulnerable version 1.11.5
    
    Bug: https://bugs.gentoo.org/680240
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 -
 dev-lang/go/go-1.11.5.ebuild | 236 -------------------------------------------
 2 files changed, 237 deletions(-)
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2019-04-02 06:33:11 UTC 
Arches and Maintainer(s), Thank you for your work.