Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 556784 (CVE-2015-5739) - <dev-lang/go-1.6-r2: net/http library - HTTP smuggling (CVE-2015-{5739,5740,5741})
Summary: <dev-lang/go-1.6-r2: net/http library - HTTP smuggling (CVE-2015-{5739,5740,5...
Status: RESOLVED FIXED
Alias: CVE-2015-5739
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-05 21:33 UTC by Mikle Kolyada
Modified: 2016-06-30 13:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-08-05 21:33:10 UTC
from ${URL}:

Hello OSS Security Community,

The Go open source project has received notification of an HTTP request
smuggling vulnerability in the net/http library (
http://golang.org/pkg/net/http/). The vulnerability was identified in the
1.4.2 release version (http://golang.org/dl) and in the 1.5 release branch.

Patches have already been applied to the 1.5 release branch, and will be
ported to the 1.4.2 release branch. We will then create a 1.4.3 release.

We are requesting a CVE ID in order to coordinate updates with
distributions that include binary packages for the Go programming language.
We will also announce and request that all Go programs using the net/http
package that were compiled with version 1.4.2 or earlier be recompiled with
1.4.3 or 1.5 (when released) due to the static linking nature of the Go
toolchain.

Please let me know if you need additional information.

Regards,
Jason Buberel
Product Manager, Go
Google, Inc.
Comment 1 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-08-07 10:31:12 UTC
Upstream has released fixed release.
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-08-07 10:35:29 UTC
(In reply to Mikle Kolyada from comment #1)
> Upstream has released fixed release.

nvmd, i was wrong
Comment 3 William Hubbs gentoo-dev 2015-08-21 16:32:01 UTC
ll,

go-1.5 is now in the tree; let me know what I need to do.

Thanks,

William
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-08-21 22:12:56 UTC
(In reply to William Hubbs from comment #3)
> ll,
> 
> go-1.5 is now in the tree; let me know what I need to do.
> 
> Thanks,
> 
> William

it seems to be fixed in 1.5
Comment 5 Nick Owens 2015-11-12 23:26:02 UTC
shouldn't dev-lang/go and dev-lang/go-bootstrap be updated for this?
Comment 6 William Hubbs gentoo-dev 2016-01-15 19:30:15 UTC
dev-lang/go is updated to 1.5.3 and dev-lang/go-bootstrap is 1.4.3.
Comment 7 William Hubbs gentoo-dev 2016-04-02 18:38:21 UTC
All affected versions of dev-lang/go have been removed from the tree.
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-30 13:12:02 UTC
GLSA Vote: No