oss-sec mailing list archives
Re: CVE Request - Go net/http library - HTTP smuggling
From: Jason Buberel <jbuberel () google com>
Date: Tue, 04 Aug 2015 22:56:12 +0000
Florian, We believe that this is a potentially exploitable issue. We would like a CVE-ID in order to release a 1.4.3 build that has the fixes applied to the current stable release (1.4.2) for linux distro coordination. Commits have been made to the Go master branch to fix the problem: https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9 https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e Additional background on the exploit, as provided by the reporter: net/http problems ------------------ * Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored * Invalid headers are parsed as valid headers (like "Content Length:" with a space in the middle) Exploitations -------------- In a situation where the net/http agent HTTP communication with the final http clients is using some reverse proxy (reverse proxy cache, SSL terminators, etc), some requests can be made exploiting the net/http HTTP protocol violations. The goal of theses requests will be either: * to bypass security controls on theses previous elements * to perform some cache poisoning on these elements * to alter the request/response map on these previous elements (for DOS), see for example this apache 2.4 issue: https://bz.apache.org/bugzilla/show_bug.cgi?id=57832 On Wed, Jul 29, 2015 at 12:51 PM Jason Buberel <jbuberel () google com> wrote:
Forian, We do have a security () golang org alias, and a proposal for a more formal security review process <https://github.com/golang/go/issues/11502>, but I agree that the process isn't clear enough currently. In this particular case, the reporter sent a messages to go-dev () golang org. That was then forwarded to me for handling. And I agree on the bundling. Is there another specific issue that you're tracking? Feel free to contact me directly - jbuberel () google com. -jason On Wed, Jul 29, 2015 at 12:16 PM Florian Weimer <fweimer () redhat com> wrote:On 07/29/2015 05:15 PM, Jason Buberel wrote:Hello OSS Security Community, The Go open source project has received notification of an HTTP request smuggling vulnerability in the net/http library ( http://golang.org/pkg/net/http/). The vulnerability was identified inthe1.4.2 release version (http://golang.org/dl) and in the 1.5 releasebranch. How does one report such things? Due to lack of published security contact information, I contacted the de-facto subsystem maintainer about the issue, but I have been ignored. (It would be nice to be able to bundle such security updates as far as possible, to avoid recompiling everything constantly.) -- Florian Weimer / Red Hat Product Security
Current thread:
- CVE Request - Go net/http library - HTTP smuggling Jason Buberel (Jul 29)
- Re: CVE Request - Go net/http library - HTTP smuggling Florian Weimer (Jul 29)
- Re: CVE Request - Go net/http library - HTTP smuggling Jason Buberel (Jul 29)
- Re: CVE Request - Go net/http library - HTTP smuggling Jason Buberel (Aug 04)
- Re: CVE Request - Go net/http library - HTTP smuggling cve-assign (Aug 05)
- Re: Re: CVE Request - Go net/http library - HTTP smuggling Martin Prpic (Aug 06)
- Re: Re: CVE Request - Go net/http library - HTTP smuggling Jason Buberel (Aug 06)
- Re: Re: CVE Request - Go net/http library - HTTP smuggling Jason Buberel (Aug 10)
- Re: Re: CVE Request - Go net/http library - HTTP smuggling Jason Buberel (Aug 12)
- Re: Re: CVE Request - Go net/http library - HTTP smuggling Jason Buberel (Aug 12)
- Re: CVE Request - Go net/http library - HTTP smuggling Jason Buberel (Jul 29)
- Re: CVE Request - Go net/http library - HTTP smuggling Florian Weimer (Jul 29)