Date: Wed, 29 Jul 2015 19:51:12 +0000 From: Jason Buberel <jbuberel@...gle.com> To: Florian Weimer <fweimer@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE Request - Go net/http library - HTTP smuggling Forian, We do have a security@...ang.org alias, and a proposal for a more formal security review process <https://github.com/golang/go/issues/11502>, but I agree that the process isn't clear enough currently. In this particular case, the reporter sent a messages to go-dev@...ang.org. That was then forwarded to me for handling. And I agree on the bundling. Is there another specific issue that you're tracking? Feel free to contact me directly - jbuberel@...gle.com. -jason On Wed, Jul 29, 2015 at 12:16 PM Florian Weimer <fweimer@...hat.com> wrote: > On 07/29/2015 05:15 PM, Jason Buberel wrote: > > Hello OSS Security Community, > > > > The Go open source project has received notification of an HTTP request > > smuggling vulnerability in the net/http library ( > > http://golang.org/pkg/net/http/). The vulnerability was identified in > the > > 1.4.2 release version (http://golang.org/dl) and in the 1.5 release > branch. > > How does one report such things? > > Due to lack of published security contact information, I contacted the > de-facto subsystem maintainer about the issue, but I have been ignored. > > (It would be nice to be able to bundle such security updates as far as > possible, to avoid recompiling everything constantly.) > > -- > Florian Weimer / Red Hat Product Security >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ