Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jul 2015 19:51:12 +0000
From: Jason Buberel <>
To: Florian Weimer <>
Subject: Re: CVE Request - Go net/http library - HTTP smuggling


We do have a alias, and a proposal for a more formal
security review process <>, but I
agree that the process isn't clear enough currently.

In this particular case, the reporter sent a messages to
That was then forwarded to me for handling.

And I agree on the bundling. Is there another specific issue that you're
tracking? Feel free to contact me directly -


On Wed, Jul 29, 2015 at 12:16 PM Florian Weimer <> wrote:

> On 07/29/2015 05:15 PM, Jason Buberel wrote:
> > Hello OSS Security Community,
> >
> > The Go open source project has received notification of an HTTP request
> > smuggling vulnerability in the net/http library (
> > The vulnerability was identified in
> the
> > 1.4.2 release version ( and in the 1.5 release
> branch.
> How does one report such things?
> Due to lack of published security contact information, I contacted the
> de-facto subsystem maintainer about the issue, but I have been ignored.
> (It would be nice to be able to bundle such security updates as far as
> possible, to avoid recompiling everything constantly.)
> --
> Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ