Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 788640 (CVE-2021-31525) - <dev-lang/go-{1.15.12,1.16.4}: net/http* denial of service (CVE-2021-31525)
Summary: <dev-lang/go-{1.15.12,1.16.4}: net/http* denial of service (CVE-2021-31525)
Status: IN_PROGRESS
Alias: CVE-2021-31525
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-06 21:25 UTC by Sam James
Modified: 2021-07-01 16:52 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/go-1.15.12 dev-lang/go-1.16.4
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-05-06 21:25:40 UTC
"Hello gophers,

We have just released Go versions 1.16.4 and 1.15.12, minor point releases.

This minor release includes a security fix according to the new security policy (#44918).

ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server.  Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.

This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts, and is fixed in golang.org/x/net@v0.0.0-20210428140749-89ef3d95e781.

This is issue #45710 and CVE-2021-31525.

Thanks to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program.

View the release notes for more information:
    https://golang.org/doc/devel/release.html#go1.16.minor

You can download binary and source distributions from the Go web site:
    https://golang.org/dl/

To compile from source using a Git clone, update to the release with
"git checkout go1.16.4" and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Heschi and Carlos for the Go team"
Comment 1 Sam James archtester gentoo-dev Security 2021-05-06 21:25:54 UTC
Please bump.
Comment 2 Larry the Git Cow gentoo-dev 2021-05-12 22:12:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5a71f48d8187ef86ae15b111ee7415bdb039d58

commit d5a71f48d8187ef86ae15b111ee7415bdb039d58
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-05-12 21:50:56 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-05-12 22:11:58 +0000

    dev-lang/go: 1.15.12 and 1.16.4 bump
    
    Bug: https://bugs.gentoo.org/788640
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 +
 dev-lang/go/go-1.15.12.ebuild | 189 ++++++++++++++++++++++++++++++++++++++++++
 dev-lang/go/go-1.16.4.ebuild  | 189 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 380 insertions(+)
Comment 3 John Helmert III gentoo-dev Security 2021-05-13 14:33:35 UTC
Thank you! Please proceed with stabilization when ready.
Comment 4 William Hubbs gentoo-dev 2021-05-17 15:50:14 UTC
Go ahead with stabilization.
Comment 5 Sam James archtester gentoo-dev Security 2021-05-17 16:00:00 UTC
(In reply to William Hubbs from comment #4)
> Go ahead with stabilization.

Thanks William!
Comment 6 Sam James archtester gentoo-dev Security 2021-05-18 17:26:12 UTC
arm done
Comment 7 Sam James archtester gentoo-dev Security 2021-05-18 17:27:02 UTC
ppc64 done
Comment 8 Agostino Sarubbo gentoo-dev 2021-05-19 20:09:15 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2021-05-20 06:24:55 UTC
amd64 stable
Comment 10 Sam James archtester gentoo-dev Security 2021-05-22 01:31:45 UTC
arm64 done

all arches done
Comment 11 Sam James archtester gentoo-dev Security 2021-05-22 01:53:21 UTC
Please cleanup, thanks!
Comment 12 Larry the Git Cow gentoo-dev 2021-05-24 19:50:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfbf5dfcb9361e5f6e339af3c8190055d7fbe068

commit bfbf5dfcb9361e5f6e339af3c8190055d7fbe068
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-05-24 19:48:53 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-05-24 19:50:22 +0000

    dev-lang/go: remove old
    
    Bug: https://bugs.gentoo.org/788640
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   2 -
 dev-lang/go/go-1.15.10.ebuild | 189 ------------------------------------------
 dev-lang/go/go-1.16.2.ebuild  | 189 ------------------------------------------
 3 files changed, 380 deletions(-)
Comment 13 John Helmert III gentoo-dev Security 2021-05-25 02:51:01 UTC
Thank you!
Comment 14 NATTkA bot gentoo-dev 2021-07-01 16:52:24 UTC
Unable to check for sanity:

> no match for package: dev-lang/go-1.15.12