Bug 806659 (CVE-2021-36221)

Summary:	<dev-lang/go-{1.15.15,1.16.7}: Denial of service in net/http/httputil ReverseProxy (CVE-2021-36221)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	williamh
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [glsa+]
Package list:	dev-lang/go-1.16.7	Runtime testing required:	---

Description Sam James archtester

2021-08-06 04:25:20 UTC

Description:
"A net/http/httputil ReverseProxy can panic due to a race condition if its
Handler aborts with ErrAbortHandler, for example due to an error in copying the
response body. An attacker might be able to force the conditions leading to the
race condition."

----
Please bump to 1.16.7 and 1.15.15.

Comment 1 Larry the Git Cow gentoo-dev

2021-08-09 23:04:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=687e101e3cec3dcb5b5c6fc06a54a886bc7abb5b

commit 687e101e3cec3dcb5b5c6fc06a54a886bc7abb5b
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-08-09 23:04:21 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-08-09 23:04:27 +0000

    dev-lang/go: stable 1.15.15 and 1.16.7 on amd64
    
    Bug: https://bugs.gentoo.org/806659
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.15.15.ebuild | 2 +-
 dev-lang/go/go-1.16.7.ebuild  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6775114ea7a66b9503c26032d83f07b2718fb218

commit 6775114ea7a66b9503c26032d83f07b2718fb218
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-08-09 23:01:38 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-08-09 23:02:20 +0000

    dev-lang/go: 1.15.15 and 1.16.7 security bump
    
    Bug: https://bugs.gentoo.org/806659
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 +
 dev-lang/go/go-1.15.15.ebuild | 189 ++++++++++++++++++++++++++++++++++++++++
 dev-lang/go/go-1.16.7.ebuild  | 194 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 385 insertions(+)

Comment 2 Agostino Sarubbo gentoo-dev

2021-08-10 06:43:39 UTC

ppc64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2021-08-11 06:44:11 UTC

x86 stable

Comment 4 NATTkA bot gentoo-dev

2021-08-20 19:00:24 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-lang/go-1.15.15

Comment 5 John Helmert III archtester

2021-08-21 15:03:04 UTC

I guess we can drop 1.15.x.

commit 8cccf5501d043102afb2036c7451337137e1be9a
Author: William Hubbs <williamh@gentoo.org>
Date:   Fri Aug 20 13:57:42 2021 -0500

    dev-lang/go: remove unsupported go 1.15.x

    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

Comment 6 NATTkA bot gentoo-dev

2021-08-21 15:08:26 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 7 Sam James archtester

2021-08-23 05:30:56 UTC

arm done

Comment 8 Sam James archtester

2021-08-23 05:30:58 UTC

arm64 done

all arches done

Comment 9 Larry the Git Cow gentoo-dev

2021-08-23 05:35:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=162e233bb6af458f015d183b78b14a0d22910577

commit 162e233bb6af458f015d183b78b14a0d22910577
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-08-23 05:34:46 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-08-23 05:35:06 +0000

    dev-lang/go: remove 1.16.6
    
    Bug: https://bugs.gentoo.org/806659
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 -
 dev-lang/go/go-1.16.6.ebuild | 194 -------------------------------------------
 2 files changed, 195 deletions(-)

Comment 10 NATTkA bot gentoo-dev

2021-09-01 18:56:26 UTC

Unable to check for sanity:

> no match for package: dev-lang/go-1.16.7

Comment 11 Larry the Git Cow gentoo-dev

2022-08-04 14:02:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

Comment 12 John Helmert III archtester

2022-08-04 14:13:37 UTC

GLSA released, all done!