Date: Tue, 04 Aug 2015 22:56:12 +0000 From: Jason Buberel <jbuberel@...gle.com> To: Florian Weimer <fweimer@...hat.com> Cc: oss-security@...ts.openwall.com, "cve-assign@...re.org" <cve-assign@...re.org> Subject: Re: CVE Request - Go net/http library - HTTP smuggling Florian, We believe that this is a potentially exploitable issue. We would like a CVE-ID in order to release a 1.4.3 build that has the fixes applied to the current stable release (1.4.2) for linux distro coordination. Commits have been made to the Go master branch to fix the problem: https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9 https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e Additional background on the exploit, as provided by the reporter: net/http problems ------------------ * Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored * Invalid headers are parsed as valid headers (like "Content Length:" with a space in the middle) Exploitations -------------- In a situation where the net/http agent HTTP communication with the final http clients is using some reverse proxy (reverse proxy cache, SSL terminators, etc), some requests can be made exploiting the net/http HTTP protocol violations. The goal of theses requests will be either: * to bypass security controls on theses previous elements * to perform some cache poisoning on these elements * to alter the request/response map on these previous elements (for DOS), see for example this apache 2.4 issue: https://bz.apache.org/bugzilla/show_bug.cgi?id=57832 On Wed, Jul 29, 2015 at 12:51 PM Jason Buberel <jbuberel@...gle.com> wrote: > Forian, > > We do have a security@...ang.org alias, and a proposal for a more formal > security review process <https://github.com/golang/go/issues/11502>, but > I agree that the process isn't clear enough currently. > > In this particular case, the reporter sent a messages to go-dev@...ang.org. > That was then forwarded to me for handling. > > And I agree on the bundling. Is there another specific issue that you're > tracking? Feel free to contact me directly - jbuberel@...gle.com. > > -jason > > On Wed, Jul 29, 2015 at 12:16 PM Florian Weimer <fweimer@...hat.com> > wrote: > >> On 07/29/2015 05:15 PM, Jason Buberel wrote: >> > Hello OSS Security Community, >> > >> > The Go open source project has received notification of an HTTP request >> > smuggling vulnerability in the net/http library ( >> > http://golang.org/pkg/net/http/). The vulnerability was identified in >> the >> > 1.4.2 release version (http://golang.org/dl) and in the 1.5 release >> branch. >> >> How does one report such things? >> >> Due to lack of published security contact information, I contacted the >> de-facto subsystem maintainer about the issue, but I have been ignored. >> >> (It would be nice to be able to bundle such security updates as far as >> possible, to avoid recompiling everything constantly.) >> >> -- >> Florian Weimer / Red Hat Product Security >> >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ