Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589230 (CVE-2016-5386) - <dev-lang/go-1.6.3: HTTPoxy (CVE-2016-5386)
Summary: <dev-lang/go-1.6.3: HTTPoxy (CVE-2016-5386)
Alias: CVE-2016-5386
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on:
Blocks: 589224
  Show dependency tree
Reported: 2016-07-20 12:47 UTC by Aaron Bauman
Modified: 2016-07-29 07:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-20 12:47:11 UTC
HTTPoxy vulnerability
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 12:47:29 UTC
CVE-2016-5386 (
  The net/http package in Go through 1.6 does not attempt to address RFC 3875
  section 4.1.18 namespace conflicts and therefore does not protect CGI
  applications from the presence of untrusted client data in the HTTP_PROXY
  environment variable, which might allow remote attackers to redirect a CGI
  application's outbound HTTP traffic to an arbitrary proxy server via a
  crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Comment 3 William Hubbs gentoo-dev 2016-07-20 13:29:41 UTC
It looks like go1.6.3 fixes this, but we are close to a go 1.7 release
as well.

Do you want me to bump 1.6.3 or wait for 1.7? Also, will this be a fast
Comment 4 William Hubbs gentoo-dev 2016-07-20 14:01:22 UTC
Go-1.6.3 is in the tree, marked ~arch for now. let me know if we should
fast stable.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-20 14:12:46 UTC
@arches, please stabilize:

Comment 6 William Hubbs gentoo-dev 2016-07-20 14:21:52 UTC
amd64 done.
Comment 7 Markus Meier gentoo-dev 2016-07-24 18:40:54 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-07-28 15:23:53 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 William Hubbs gentoo-dev 2016-07-28 16:00:43 UTC
Cleanup is completed.
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-29 07:38:54 UTC
GLSA Vote: No