Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 732578 (CVE-2020-15586)

Summary: <dev-lang/go-{1.13.13,1.14.5}: Possible denial of service in net/http (CVE-2020-15586)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: williamh
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ
Whiteboard: B3 [noglsa cve]
Package list:
dev-lang/go-1.13.13 dev-lang/go-1.14.5
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 16:47:06 UTC
Description:
"Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected. Thanks to Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay Kauzlaric, and Gabe Rosenhouse for reporting this issue. This issue is CVE-2020-15586 and Go issue golang.org/issue/34902."

Advisory: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ
Bug: https://golang.org/issue/34902
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 16:48:28 UTC
Please bump to 1.13.13 and 1.14.5.
Comment 2 Larry the Git Cow gentoo-dev 2020-07-16 17:55:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da07357a302bb0788227bdc731f3f9c37c8210

commit c7da07357a302bb0788227bdc731f3f9c37c8210
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-07-16 17:51:20 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-07-16 17:52:28 +0000

    dev-lang/go: 1.14.5 security bump
    
    Bug: https://bugs.gentoo.org/732578
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.14.5.ebuild | 188 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 189 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=877762541cc1f69c72706628a57c7dc067fabd03

commit 877762541cc1f69c72706628a57c7dc067fabd03
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-07-16 17:44:25 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-07-16 17:52:27 +0000

    dev-lang/go: 1.13.13 security bump
    
    Bug: https://bugs.gentoo.org/732578
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   1 +
 dev-lang/go/go-1.13.13.ebuild | 197 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)
Comment 3 William Hubbs gentoo-dev 2020-07-16 18:10:00 UTC
arm, arm64 and ppc64:

Please stabilize. I have stabilized amd64 and x86.

Thanks,

William
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 01:04:18 UTC
arm64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 02:02:04 UTC
ppc64 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 10:28:22 UTC
arm stable

----
Please cleanup.
Comment 7 Larry the Git Cow gentoo-dev 2020-07-17 14:27:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e442aee5d9239660855cd11ba4bb87631978f5e

commit 8e442aee5d9239660855cd11ba4bb87631978f5e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-07-17 14:22:49 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-07-17 14:22:49 +0000

    dev-lang/go: security cleanup
    
    Bug: https://bugs.gentoo.org/732578
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   4 -
 dev-lang/go/go-1.13.10.ebuild | 197 ------------------------------------------
 dev-lang/go/go-1.13.12.ebuild | 197 ------------------------------------------
 dev-lang/go/go-1.14.2.ebuild  | 188 ----------------------------------------
 dev-lang/go/go-1.14.4.ebuild  | 188 ----------------------------------------
 5 files changed, 774 deletions(-)
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 05:33:38 UTC
GLSA vote: no!

Closing.