Bug 732578 (CVE-2020-15586)

Summary:	<dev-lang/go-{1.13.13,1.14.5}: Possible denial of service in net/http (CVE-2020-15586)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	williamh
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ
Whiteboard:	B3 [noglsa cve]
Package list:	dev-lang/go-1.13.13 dev-lang/go-1.14.5	Runtime testing required:	---

Description Sam James archtester

2020-07-14 16:47:06 UTC

Description:
"Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected. Thanks to Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay Kauzlaric, and Gabe Rosenhouse for reporting this issue. This issue is CVE-2020-15586 and Go issue golang.org/issue/34902."

Advisory: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ
Bug: https://golang.org/issue/34902

Comment 1 Sam James archtester

2020-07-14 16:48:28 UTC

Please bump to 1.13.13 and 1.14.5.

Comment 2 Larry the Git Cow gentoo-dev

2020-07-16 17:55:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da07357a302bb0788227bdc731f3f9c37c8210

commit c7da07357a302bb0788227bdc731f3f9c37c8210
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-07-16 17:51:20 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-07-16 17:52:28 +0000

    dev-lang/go: 1.14.5 security bump
    
    Bug: https://bugs.gentoo.org/732578
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.14.5.ebuild | 188 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 189 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=877762541cc1f69c72706628a57c7dc067fabd03

commit 877762541cc1f69c72706628a57c7dc067fabd03
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-07-16 17:44:25 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-07-16 17:52:27 +0000

    dev-lang/go: 1.13.13 security bump
    
    Bug: https://bugs.gentoo.org/732578
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   1 +
 dev-lang/go/go-1.13.13.ebuild | 197 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)

Comment 3 William Hubbs gentoo-dev

2020-07-16 18:10:00 UTC

arm, arm64 and ppc64:

Please stabilize. I have stabilized amd64 and x86.

Thanks,

William

Comment 4 Sam James archtester

2020-07-17 01:04:18 UTC

arm64 stable

Comment 5 Sam James archtester

2020-07-17 02:02:04 UTC

ppc64 stable

Comment 6 Sam James archtester

2020-07-17 10:28:22 UTC

arm stable

----
Please cleanup.

Comment 7 Larry the Git Cow gentoo-dev

2020-07-17 14:27:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e442aee5d9239660855cd11ba4bb87631978f5e

commit 8e442aee5d9239660855cd11ba4bb87631978f5e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-07-17 14:22:49 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-07-17 14:22:49 +0000

    dev-lang/go: security cleanup
    
    Bug: https://bugs.gentoo.org/732578
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   4 -
 dev-lang/go/go-1.13.10.ebuild | 197 ------------------------------------------
 dev-lang/go/go-1.13.12.ebuild | 197 ------------------------------------------
 dev-lang/go/go-1.14.2.ebuild  | 188 ----------------------------------------
 dev-lang/go/go-1.14.4.ebuild  | 188 ----------------------------------------
 5 files changed, 774 deletions(-)

Comment 8 Sam James archtester

2020-07-26 05:33:38 UTC

GLSA vote: no!

Closing.