Search...

Fedora Update for golang FEDORA-2015-13002

2015-08-20T00:00:00

ID OPENVAS:1361412562310869876
Type openvas
Reporter Copyright (C) 2015 Greenbone Networks GmbH
Modified 2019-03-15T00:00:00

Description

The remote host is missing an update for the

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for golang FEDORA-2015-13002
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.869876");
  script_version("$Revision: 14223 $");
  script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
  script_tag(name:"creation_date", value:"2015-08-20 06:40:44 +0200 (Thu, 20 Aug 2015)");
  script_cve_id("CVE-2015-5739", "CVE-2015-5740", "CVE-2015-5741");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"qod_type", value:"package");
  script_name("Fedora Update for golang FEDORA-2015-13002");
  script_tag(name:"summary", value:"The remote host is missing an update for the 'golang'
  package(s) announced via the referenced advisory.");
  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
  script_tag(name:"affected", value:"golang on Fedora 22");
  script_tag(name:"solution", value:"Please install the updated package(s).");
  script_xref(name:"FEDORA", value:"2015-13002");
  script_xref(name:"URL", value:"https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html");
  script_tag(name:"solution_type", value:"VendorFix");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
  script_family("Fedora Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC22");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";

if(release == "FC22")
{

  if ((res = isrpmvuln(pkg:"golang", rpm:"golang~1.4.2~3.fc22", rls:"FC22")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99);
  exit(0);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310869876", "bulletinFamily": "scanner", "title": "Fedora Update for golang FEDORA-2015-13002", "description": "The remote host is missing an update for the ", "published": "2015-08-20T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869876", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["2015-13002", "https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html"], "cvelist": ["CVE-2015-5740", "CVE-2015-5741", "CVE-2015-5739"], "type": "openvas", "lastseen": "2019-05-29T18:37:07", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-5740", "CVE-2015-5741", "CVE-2015-5739"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host is missing an update for the ", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-03-18T14:36:46", "references": [{"idList": ["FEDORA_2015-15618.NASL", "FEDORA_2015-12957.NASL", "FEDORA_2015-13002.NASL", "CENTOS_RHSA-2016-1538.NASL", "REDHAT-RHSA-2016-1538.NASL", "FREEBSD_PKG_4464212E4ACD11E5934B002590263BF5.NASL", "ORACLELINUX_ELSA-2016-1538.NASL", "ALA_ALAS-2015-588.NASL", "OPENSUSE-2016-907.NASL", "FEDORA_2015-15619.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:1361412562310869978", "OPENVAS:1361412562310869881", "OPENVAS:1361412562310120511", "OPENVAS:1361412562310869977"], "type": "openvas"}, {"idList": ["CVE-2015-5740", "CVE-2015-5739"], "type": "cve"}, {"idList": ["CESA-2016:1538"], "type": "centos"}, {"idList": ["CFOUNDRY:49E12FFB172ED25FC5E4B1AC01EEF7BF"], "type": "cloudfoundry"}, {"idList": ["ALAS-2015-588"], "type": "amazon"}, {"idList": ["RHSA-2016:1538"], "type": "redhat"}, {"idList": ["4464212E-4ACD-11E5-934B-002590263BF5"], "type": "freebsd"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "0322dcf1b27f07d293ad2c5011bd7efa7b513f2e14fb6f250cf76cb8f81eaf43", "hashmap": [{"hash": "0f16668aac2658901198a5ce16138115", "key": "sourceData"}, {"hash": "29275e29c9a95bf70460d0e08a75c53e", "key": "title"}, {"hash": "d9d60497e35e52b015f9c5fa79e49a3a", "key": "pluginID"}, {"hash": "021c5e04faf52846b8ee93a59afaa783", "key": "references"}, {"hash": "1693b96dcccf4fbcd463bf8baaa2bf3f", "key": "description"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "b893f6495f0629bfca8662d680c884f3", "key": "published"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "266dc113699df632b13301dc75e2250f", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "4525bc09d1c4c408a417a5eb7b850972", "key": "modified"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "2aaae16d567318639084ba3e90ce5d75", "key": "href"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869876", "id": "OPENVAS:1361412562310869876", "lastseen": "2019-03-18T14:36:46", "modified": "2019-03-15T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310869876", "published": "2015-08-20T00:00:00", "references": ["2015-13002", "https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for golang FEDORA-2015-13002\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869876\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-20 06:40:44 +0200 (Thu, 20 Aug 2015)\");\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for golang FEDORA-2015-13002\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'golang'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"golang on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-13002\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"golang\", rpm:\"golang~1.4.2~3.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "title": "Fedora Update for golang FEDORA-2015-13002", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 6, "lastseen": "2019-03-18T14:36:46"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-5740", "CVE-2015-5741", "CVE-2015-5739"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Check the version of golang", "edition": 1, "enchantments": {}, "hash": "3e9d3a2a0921185f28f222a98ee69641d162523d8971568e1ab2e665ab168e16", "hashmap": [{"hash": "29275e29c9a95bf70460d0e08a75c53e", "key": "title"}, {"hash": "7be8961190f684f76435f29ec444b21e", "key": "description"}, {"hash": "d9d60497e35e52b015f9c5fa79e49a3a", "key": "pluginID"}, {"hash": "021c5e04faf52846b8ee93a59afaa783", "key": "references"}, {"hash": "869cbb1ffbf12ad4f80152e68fd8f0e8", "key": "sourceData"}, {"hash": "b893f6495f0629bfca8662d680c884f3", "key": "published"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "266dc113699df632b13301dc75e2250f", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "e7c99ea8270f32c4596b63d798cb8592", "key": "modified"}, {"hash": "2aaae16d567318639084ba3e90ce5d75", "key": "href"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869876", "id": "OPENVAS:1361412562310869876", "lastseen": "2017-07-02T21:11:34", "modified": "2017-05-16T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310869876", "published": "2015-08-20T00:00:00", "references": ["2015-13002", "https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for golang FEDORA-2015-13002\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869876\");\n script_version(\"$Revision: 6132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-16 11:03:39 +0200 (Tue, 16 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-20 06:40:44 +0200 (Thu, 20 Aug 2015)\");\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for golang FEDORA-2015-13002\");\n script_tag(name: \"summary\", value: \"Check the version of golang\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"The Go Programming Language.\n\");\n script_tag(name: \"affected\", value: \"golang on Fedora 22\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-13002\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:fedoraproject:fedora\", \"login/SSH/success\", \"ssh/login/release\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"golang\", rpm:\"golang~1.4.2~3.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "title": "Fedora Update for golang FEDORA-2015-13002", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:11:34"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-5740", "CVE-2015-5741", "CVE-2015-5739"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Check the version of golang", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "3bbe75c9b5c8d18cbbca52d65aadd7b1a032ef8e09681c4e56532de7e5f110eb", "hashmap": [{"hash": "29275e29c9a95bf70460d0e08a75c53e", "key": "title"}, {"hash": "7be8961190f684f76435f29ec444b21e", "key": "description"}, {"hash": "d9d60497e35e52b015f9c5fa79e49a3a", "key": "pluginID"}, {"hash": "021c5e04faf52846b8ee93a59afaa783", "key": "references"}, {"hash": "b893f6495f0629bfca8662d680c884f3", "key": "published"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "266dc113699df632b13301dc75e2250f", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "223bd4687b9176df1412a0e56288b7e7", "key": "sourceData"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "0d134bf170d66438eb1e01173ee0187f", "key": "modified"}, {"hash": "2aaae16d567318639084ba3e90ce5d75", "key": "href"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869876", "id": "OPENVAS:1361412562310869876", "lastseen": "2018-08-30T19:23:16", "modified": "2017-07-10T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310869876", "published": "2015-08-20T00:00:00", "references": ["2015-13002", "https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for golang FEDORA-2015-13002\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869876\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-20 06:40:44 +0200 (Thu, 20 Aug 2015)\");\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for golang FEDORA-2015-13002\");\n script_tag(name: \"summary\", value: \"Check the version of golang\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"The Go Programming Language.\n\");\n script_tag(name: \"affected\", value: \"golang on Fedora 22\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-13002\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"golang\", rpm:\"golang~1.4.2~3.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "title": "Fedora Update for golang FEDORA-2015-13002", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:23:16"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-5740", "CVE-2015-5741", "CVE-2015-5739"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Check the version of golang", "edition": 2, "enchantments": {}, "hash": "3bbe75c9b5c8d18cbbca52d65aadd7b1a032ef8e09681c4e56532de7e5f110eb", "hashmap": [{"hash": "29275e29c9a95bf70460d0e08a75c53e", "key": "title"}, {"hash": "7be8961190f684f76435f29ec444b21e", "key": "description"}, {"hash": "d9d60497e35e52b015f9c5fa79e49a3a", "key": "pluginID"}, {"hash": "021c5e04faf52846b8ee93a59afaa783", "key": "references"}, {"hash": "b893f6495f0629bfca8662d680c884f3", "key": "published"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "266dc113699df632b13301dc75e2250f", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "223bd4687b9176df1412a0e56288b7e7", "key": "sourceData"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "0d134bf170d66438eb1e01173ee0187f", "key": "modified"}, {"hash": "2aaae16d567318639084ba3e90ce5d75", "key": "href"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869876", "id": "OPENVAS:1361412562310869876", "lastseen": "2017-07-25T10:52:26", "modified": "2017-07-10T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310869876", "published": "2015-08-20T00:00:00", "references": ["2015-13002", "https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for golang FEDORA-2015-13002\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869876\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-20 06:40:44 +0200 (Thu, 20 Aug 2015)\");\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for golang FEDORA-2015-13002\");\n script_tag(name: \"summary\", value: \"Check the version of golang\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"The Go Programming Language.\n\");\n script_tag(name: \"affected\", value: \"golang on Fedora 22\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-13002\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"golang\", rpm:\"golang~1.4.2~3.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "title": "Fedora Update for golang FEDORA-2015-13002", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-07-25T10:52:26"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-5740", "CVE-2015-5741", "CVE-2015-5739"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Check the version of golang", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "f302a3c6ad66e5def3ac0b3c8fb19f63052f470289a58bbdfe62d288aede2a14", "hashmap": [{"hash": "29275e29c9a95bf70460d0e08a75c53e", "key": "title"}, {"hash": "7be8961190f684f76435f29ec444b21e", "key": "description"}, {"hash": "d9d60497e35e52b015f9c5fa79e49a3a", "key": "pluginID"}, {"hash": "021c5e04faf52846b8ee93a59afaa783", "key": "references"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "b893f6495f0629bfca8662d680c884f3", "key": "published"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "266dc113699df632b13301dc75e2250f", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "223bd4687b9176df1412a0e56288b7e7", "key": "sourceData"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "0d134bf170d66438eb1e01173ee0187f", "key": "modified"}, {"hash": "2aaae16d567318639084ba3e90ce5d75", "key": "href"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869876", "id": "OPENVAS:1361412562310869876", "lastseen": "2017-11-09T12:50:43", "modified": "2017-07-10T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310869876", "published": "2015-08-20T00:00:00", "references": ["2015-13002", "https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for golang FEDORA-2015-13002\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869876\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-20 06:40:44 +0200 (Thu, 20 Aug 2015)\");\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for golang FEDORA-2015-13002\");\n script_tag(name: \"summary\", value: \"Check the version of golang\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"The Go Programming Language.\n\");\n script_tag(name: \"affected\", value: \"golang on Fedora 22\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-13002\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"golang\", rpm:\"golang~1.4.2~3.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "title": "Fedora Update for golang FEDORA-2015-13002", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2017-11-09T12:50:43"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "266dc113699df632b13301dc75e2250f"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "description", "hash": "1693b96dcccf4fbcd463bf8baaa2bf3f"}, {"key": "href", "hash": "2aaae16d567318639084ba3e90ce5d75"}, {"key": "modified", "hash": "4525bc09d1c4c408a417a5eb7b850972"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "d9d60497e35e52b015f9c5fa79e49a3a"}, {"key": "published", "hash": "b893f6495f0629bfca8662d680c884f3"}, {"key": "references", "hash": "021c5e04faf52846b8ee93a59afaa783"}, {"key": "reporter", "hash": "1e898993712db5cf9f9a110102684025"}, {"key": "sourceData", "hash": "0f16668aac2658901198a5ce16138115"}, {"key": "title", "hash": "29275e29c9a95bf70460d0e08a75c53e"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "b7f819cd7833c34fdc07603bb13901995a361e05efe3c49508385dda2e255915", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-5739", "CVE-2015-5740"]}, {"type": "nessus", "idList": ["FEDORA_2015-13002.NASL", "OPENSUSE-2016-907.NASL", "FEDORA_2015-15619.NASL", "FEDORA_2015-12957.NASL", "FREEBSD_PKG_4464212E4ACD11E5934B002590263BF5.NASL", "FEDORA_2015-15618.NASL", "ALA_ALAS-2015-588.NASL", "REDHAT-RHSA-2016-1538.NASL", "CENTOS_RHSA-2016-1538.NASL", "ORACLELINUX_ELSA-2016-1538.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310120511", "OPENVAS:1361412562310869977", "OPENVAS:1361412562310869978", "OPENVAS:1361412562310869881"]}, {"type": "freebsd", "idList": ["4464212E-4ACD-11E5-934B-002590263BF5"]}, {"type": "amazon", "idList": ["ALAS-2015-588"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:49E12FFB172ED25FC5E4B1AC01EEF7BF"]}, {"type": "centos", "idList": ["CESA-2016:1538"]}, {"type": "redhat", "idList": ["RHSA-2016:1538"]}], "modified": "2019-05-29T18:37:07"}, "score": {"value": 6.6, "vector": "NONE", "modified": "2019-05-29T18:37:07"}, "vulnersScore": 6.6}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for golang FEDORA-2015-13002\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869876\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-20 06:40:44 +0200 (Thu, 20 Aug 2015)\");\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for golang FEDORA-2015-13002\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'golang'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"golang on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-13002\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"golang\", rpm:\"golang~1.4.2~3.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "1361412562310869876", "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:14:43", "bulletinFamily": "NVD", "description": "The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by \"Content Length\" instead of \"Content-Length.\"", "modified": "2019-05-10T16:45:00", "id": "CVE-2015-5739", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5739", "published": "2017-10-18T20:29:00", "title": "CVE-2015-5739", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:14:43", "bulletinFamily": "NVD", "description": "The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers.", "modified": "2019-05-09T20:13:00", "id": "CVE-2015-5740", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5740", "published": "2017-10-18T20:29:00", "title": "CVE-2015-5740", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:36:36", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120511", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120511", "title": "Amazon Linux Local Check: ALAS-2015-588", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2015-588.nasl 6575 2017-07-06 13:42:08Z cfischer$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120511\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:28:16 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2015-588\");\n script_tag(name:\"insight\", value:\"As discussed upstream -- here and here -- the Go project received notification of an HTTP request smuggling vulnerability in the net/http library. Invalid headers are parsed as valid headers (like Content Length: with a space in the middle) and Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored.\");\n script_tag(name:\"solution\", value:\"Run yum update golang docker to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2015-588.html\");\n script_cve_id(\"CVE-2015-5741\", \"CVE-2015-5740\", \"CVE-2015-5739\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"golang-pkg-bin-linux\", rpm:\"golang-pkg-bin-linux~386~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-plan9\", rpm:\"golang-pkg-plan9~386~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-netbsd-arm\", rpm:\"golang-pkg-netbsd-arm~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-windows-amd64\", rpm:\"golang-pkg-windows-amd64~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-openbsd\", rpm:\"golang-pkg-openbsd~386~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-freebsd-amd64\", rpm:\"golang-pkg-freebsd-amd64~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-windows\", rpm:\"golang-pkg-windows~386~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-openbsd-amd64\", rpm:\"golang-pkg-openbsd-amd64~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-darwin-amd64\", rpm:\"golang-pkg-darwin-amd64~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-freebsd\", rpm:\"golang-pkg-freebsd~386~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-linux-arm\", rpm:\"golang-pkg-linux-arm~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-darwin\", rpm:\"golang-pkg-darwin~386~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-netbsd\", rpm:\"golang-pkg-netbsd~386~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-linux\", rpm:\"golang-pkg-linux~386~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-src\", rpm:\"golang-src~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-netbsd-amd64\", rpm:\"golang-pkg-netbsd-amd64~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-linux-amd64\", rpm:\"golang-pkg-linux-amd64~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-freebsd-arm\", rpm:\"golang-pkg-freebsd-arm~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"golang-pkg-plan9-amd64\", rpm:\"golang-pkg-plan9-amd64~1.4.2~3.16.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:01", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-10-02T00:00:00", "id": "OPENVAS:1361412562310869977", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869977", "title": "Fedora Update for golang FEDORA-2015-15618", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for golang FEDORA-2015-15618\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869977\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-02 07:09:24 +0200 (Fri, 02 Oct 2015)\");\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for golang FEDORA-2015-15618\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'golang'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"golang on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-15618\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"golang\", rpm:\"golang~1.5.1~0.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-10-02T00:00:00", "id": "OPENVAS:1361412562310869978", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869978", "title": "Fedora Update for golang FEDORA-2015-15619", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for golang FEDORA-2015-15619\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869978\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-02 07:09:32 +0200 (Fri, 02 Oct 2015)\");\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for golang FEDORA-2015-15619\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'golang'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"golang on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-15619\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"golang\", rpm:\"golang~1.5.1~0.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-08-20T00:00:00", "id": "OPENVAS:1361412562310869881", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869881", "title": "Fedora Update for golang FEDORA-2015-12957", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for golang FEDORA-2015-12957\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869881\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-20 06:42:19 +0200 (Thu, 20 Aug 2015)\");\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for golang FEDORA-2015-12957\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'golang'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"golang on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-12957\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163971.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"golang\", rpm:\"golang~1.4.2~3.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-11-01T02:27:20", "bulletinFamily": "scanner", "description": "security fixes for net/http smuggling\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-13002.NASL", "href": "https://www.tenable.com/plugins/nessus/85476", "published": "2015-08-18T00:00:00", "title": "Fedora 22 : golang-1.4.2-3.fc22 (2015-13002)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-13002.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85476);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2018/01/30 17:46:07 $\");\n\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_xref(name:\"FEDORA\", value:\"2015-13002\");\n\n script_name(english:\"Fedora 22 : golang-1.4.2-3.fc22 (2015-13002)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"security fixes for net/http smuggling\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1250352\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d8864620\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected golang package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"golang-1.4.2-3.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"golang\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:27:20", "bulletinFamily": "scanner", "description": "security fixes for net/http smuggling\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-12957.NASL", "href": "https://www.tenable.com/plugins/nessus/85471", "published": "2015-08-18T00:00:00", "title": "Fedora 21 : golang-1.4.2-3.fc21 (2015-12957)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-12957.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85471);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2018/01/30 17:46:07 $\");\n\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_xref(name:\"FEDORA\", value:\"2015-12957\");\n\n script_name(english:\"Fedora 21 : golang-1.4.2-3.fc21 (2015-12957)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"security fixes for net/http smuggling\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1250352\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163971.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f8d3f8ec\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected golang package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"golang-1.4.2-3.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"golang\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:27:21", "bulletinFamily": "scanner", "description": "golang-1.5.1-0.fc21 - update to go1.5.1 golang-1.5.1-0.fc22 - update\nto go1.5.1 golang-1.5.1-0.el6 - update to go1.5.1 golang-1.5.1-0.fc23\n- update to go1.5.1 ---- bz1258166 remove srpm macros, for\ngo-srpm-macros ---- update to go1.5; shared objects for x86_64; gdb\nfixes; full http smuggle fix; fixes for tests ---- bz1258166 remove\nsrpm macros, for go-srpm-macros\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-15619.NASL", "href": "https://www.tenable.com/plugins/nessus/86232", "published": "2015-10-02T00:00:00", "title": "Fedora 22 : golang-1.5.1-0.fc22 (2015-15619)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-15619.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86232);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2018/01/30 17:46:07 $\");\n\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_xref(name:\"FEDORA\", value:\"2015-15619\");\n\n script_name(english:\"Fedora 22 : golang-1.5.1-0.fc22 (2015-15619)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"golang-1.5.1-0.fc21 - update to go1.5.1 golang-1.5.1-0.fc22 - update\nto go1.5.1 golang-1.5.1-0.el6 - update to go1.5.1 golang-1.5.1-0.fc23\n- update to go1.5.1 ---- bz1258166 remove srpm macros, for\ngo-srpm-macros ---- update to go1.5; shared objects for x86_64; gdb\nfixes; full http smuggle fix; fixes for tests ---- bz1258166 remove\nsrpm macros, for go-srpm-macros\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1250352\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?24546c40\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected golang package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"golang-1.5.1-0.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"golang\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T03:01:10", "bulletinFamily": "scanner", "description": "This update for go fixes the following issues :\n\n - CVE-2015-5739: ", "modified": "2019-11-02T00:00:00", "id": "OPENSUSE-2016-907.NASL", "href": "https://www.tenable.com/plugins/nessus/92596", "published": "2016-07-28T00:00:00", "title": "openSUSE Security Update : go (openSUSE-2016-907)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-907.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92596);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2018/01/26 17:15:58 $\");\n\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n\n script_name(english:\"openSUSE Security Update : go (openSUSE-2016-907)\");\n script_summary(english:\"Check for the openSUSE-2016-907 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for go fixes the following issues :\n\n - CVE-2015-5739: 'Content Length' treated as valid header\n\n - CVE-2015-5740: Double content-length headers does not\n return 400 error\n\n - CVE-2015-5741: Additional hardening, not sending\n Content-Length w/Transfer-Encoding, Closing connections\n\nGo was updated to 1.4.3 with the following additional changes :\n\n - build: remove -Werror from cmd/dist\n\n - runtime: panic when accessing an empty struct value\n appended to an uninitialized slice\n\n - runtime: garbage collector found invalid heap pointer\n iterating over map\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=989630\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected go packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"go-1.4.3-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"go-debuginfo-1.4.3-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"go-debugsource-1.4.3-15.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"go / go-debuginfo / go-debugsource\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:27:20", "bulletinFamily": "scanner", "description": "golang-1.5.1-0.fc21 - update to go1.5.1 golang-1.5.1-0.fc22 - update\nto go1.5.1 golang-1.5.1-0.el6 - update to go1.5.1 golang-1.5.1-0.fc23\n- update to go1.5.1 ---- update to go1.5; shared objects for x86_64;\ngdb fixes; full http smuggle fix; fixes for tests\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-15618.NASL", "href": "https://www.tenable.com/plugins/nessus/86231", "published": "2015-10-02T00:00:00", "title": "Fedora 21 : golang-1.5.1-0.fc21 (2015-15618)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-15618.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86231);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2018/01/30 17:46:07 $\");\n\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_xref(name:\"FEDORA\", value:\"2015-15618\");\n\n script_name(english:\"Fedora 21 : golang-1.5.1-0.fc21 (2015-15618)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"golang-1.5.1-0.fc21 - update to go1.5.1 golang-1.5.1-0.fc22 - update\nto go1.5.1 golang-1.5.1-0.el6 - update to go1.5.1 golang-1.5.1-0.fc23\n- update to go1.5.1 ---- update to go1.5; shared objects for x86_64;\ngdb fixes; full http smuggle fix; fixes for tests\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1250352\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4e36930b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected golang package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"golang-1.5.1-0.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"golang\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:13:58", "bulletinFamily": "scanner", "description": "As discussed upstream -- here and here -- the Go project received\nnotification of an HTTP request smuggling vulnerability in the\nnet/http library. Invalid headers are parsed as valid headers (like\n", "modified": "2019-11-02T00:00:00", "id": "ALA_ALAS-2015-588.NASL", "href": "https://www.tenable.com/plugins/nessus/85633", "published": "2015-08-26T00:00:00", "title": "Amazon Linux AMI : golang / docker (ALAS-2015-588)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-588.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85633);\n script_version(\"2.5\");\n script_cvs_date(\"Date: 2018/11/19 11:02:41\");\n\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n script_xref(name:\"ALAS\", value:\"2015-588\");\n\n script_name(english:\"Amazon Linux AMI : golang / docker (ALAS-2015-588)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"As discussed upstream -- here and here -- the Go project received\nnotification of an HTTP request smuggling vulnerability in the\nnet/http library. Invalid headers are parsed as valid headers (like\n'Content Length:' with a space in the middle) and Double\nContent-length headers in a request does not generate a 400 error, the\nsecond Content-length is ignored.\"\n );\n # http://seclists.org/oss-sec/2015/q3/237\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/oss-sec/2015/q3/237\"\n );\n # http://seclists.org/oss-sec/2015/q3/294\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/oss-sec/2015/q3/294\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-588.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update golang docker' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:docker-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:docker-pkg-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-bin-linux-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-bin-linux-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-darwin-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-darwin-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-freebsd-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-freebsd-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-freebsd-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-linux-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-linux-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-linux-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-netbsd-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-netbsd-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-netbsd-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-openbsd-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-openbsd-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-plan9-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-plan9-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-windows-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-pkg-windows-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"docker-1.6.2-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"docker-devel-1.6.2-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"docker-pkg-devel-1.6.2-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"i686\", reference:\"golang-pkg-bin-linux-386-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"golang-pkg-bin-linux-amd64-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-darwin-386-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-darwin-amd64-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-freebsd-386-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-freebsd-amd64-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-freebsd-arm-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-linux-386-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-linux-amd64-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-linux-arm-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-netbsd-386-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-netbsd-amd64-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-netbsd-arm-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-openbsd-386-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-openbsd-amd64-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-plan9-386-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-plan9-amd64-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-windows-386-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-pkg-windows-amd64-1.4.2-3.16.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-src-1.4.2-3.16.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker / docker-devel / docker-pkg-devel / golang / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:37:33", "bulletinFamily": "scanner", "description": "Jason Buberel, Go Product Manager, reports :\n\nCVE-2015-5739 - ", "modified": "2019-11-02T00:00:00", "id": "FREEBSD_PKG_4464212E4ACD11E5934B002590263BF5.NASL", "href": "https://www.tenable.com/plugins/nessus/85641", "published": "2015-08-26T00:00:00", "title": "FreeBSD : go -- multiple vulnerabilities (4464212e-4acd-11e5-934b-002590263bf5)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85641);\n script_version(\"2.5\");\n script_cvs_date(\"Date: 2018/11/21 10:46:31\");\n\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\");\n\n script_name(english:\"FreeBSD : go -- multiple vulnerabilities (4464212e-4acd-11e5-934b-002590263bf5)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jason Buberel, Go Product Manager, reports :\n\nCVE-2015-5739 - 'Content Length' treated as valid header\n\nCVE-2015-5740 - Double content-length headers does not return 400\nerror\n\nCVE-2015-5741 - Additional hardening, not sending Content-Length\nw/Transfer-Encoding, Closing connections\"\n );\n # https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?14d69ded\"\n );\n # https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?981f69a2\"\n );\n # https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?27017e66\"\n );\n # http://seclists.org/oss-sec/2015/q3/237\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/oss-sec/2015/q3/237\"\n );\n # https://vuxml.freebsd.org/freebsd/4464212e-4acd-11e5-934b-002590263bf5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?60d0b169\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:go\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:go14\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"go<1.4.3,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"go14<1.4.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T03:21:09", "bulletinFamily": "scanner", "description": "An update for golang is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe golang packages provide the Go programming language compiler.\n\nThe following packages have been upgraded to a newer upstream version:\ngolang (1.6.3). (BZ#1346331)\n\nSecurity Fix(es) :\n\n* An input-validation flaw was discovered in the Go programming\nlanguage built in CGI implementation, which set the environment\nvariable ", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2016-1538.NASL", "href": "https://www.tenable.com/plugins/nessus/92693", "published": "2016-08-03T00:00:00", "title": "RHEL 7 : golang (RHSA-2016:1538) (httpoxy)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:1538. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92693);\n script_version(\"2.17\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\", \"CVE-2016-3959\", \"CVE-2016-5386\");\n script_xref(name:\"RHSA\", value:\"2016:1538\");\n\n script_name(english:\"RHEL 7 : golang (RHSA-2016:1538) (httpoxy)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for golang is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe golang packages provide the Go programming language compiler.\n\nThe following packages have been upgraded to a newer upstream version:\ngolang (1.6.3). (BZ#1346331)\n\nSecurity Fix(es) :\n\n* An input-validation flaw was discovered in the Go programming\nlanguage built in CGI implementation, which set the environment\nvariable 'HTTP_PROXY' using the incoming 'Proxy' HTTP-request header.\nThe environment variable 'HTTP_PROXY' is used by numerous web clients,\nincluding Go's net/http package, to specify a proxy server to use for\nHTTP and, in some cases, HTTPS requests. This meant that when a\nCGI-based web application ran, an attacker could specify a proxy\nserver which the application then used for subsequent outgoing\nrequests, allowing a man-in-the-middle attack. (CVE-2016-5386)\n\nRed Hat would like to thank Scott Geary (VendHQ) for reporting this\nissue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:1538\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5739\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5741\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3959\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5386\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:golang-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:golang-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:golang-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:golang-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:golang-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:1538\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"golang-1.6.3-1.el7_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"golang-bin-1.6.3-1.el7_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"golang-docs-1.6.3-1.el7_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"golang-misc-1.6.3-1.el7_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"golang-src-1.6.3-1.el7_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"golang-tests-1.6.3-1.el7_2.1\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"golang / golang-bin / golang-docs / golang-misc / golang-src / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T03:14:38", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2016:1538 :\n\nAn update for golang is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe golang packages provide the Go programming language compiler.\n\nThe following packages have been upgraded to a newer upstream version:\ngolang (1.6.3). (BZ#1346331)\n\nSecurity Fix(es) :\n\n* An input-validation flaw was discovered in the Go programming\nlanguage built in CGI implementation, which set the environment\nvariable ", "modified": "2019-11-02T00:00:00", "id": "ORACLELINUX_ELSA-2016-1538.NASL", "href": "https://www.tenable.com/plugins/nessus/92687", "published": "2016-08-03T00:00:00", "title": "Oracle Linux 7 : golang (ELSA-2016-1538) (httpoxy)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:1538 and \n# Oracle Linux Security Advisory ELSA-2016-1538 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92687);\n script_version(\"2.12\");\n script_cvs_date(\"Date: 2019/09/27 13:00:37\");\n\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\", \"CVE-2016-3959\", \"CVE-2016-5386\");\n script_xref(name:\"RHSA\", value:\"2016:1538\");\n\n script_name(english:\"Oracle Linux 7 : golang (ELSA-2016-1538) (httpoxy)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:1538 :\n\nAn update for golang is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe golang packages provide the Go programming language compiler.\n\nThe following packages have been upgraded to a newer upstream version:\ngolang (1.6.3). (BZ#1346331)\n\nSecurity Fix(es) :\n\n* An input-validation flaw was discovered in the Go programming\nlanguage built in CGI implementation, which set the environment\nvariable 'HTTP_PROXY' using the incoming 'Proxy' HTTP-request header.\nThe environment variable 'HTTP_PROXY' is used by numerous web clients,\nincluding Go's net/http package, to specify a proxy server to use for\nHTTP and, in some cases, HTTPS requests. This meant that when a\nCGI-based web application ran, an attacker could specify a proxy\nserver which the application then used for subsequent outgoing\nrequests, allowing a man-in-the-middle attack. (CVE-2016-5386)\n\nRed Hat would like to thank Scott Geary (VendHQ) for reporting this\nissue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-August/006244.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected golang packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:golang-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:golang-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:golang-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:golang-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:golang-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"golang-1.6.3-1.el7_2.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"golang-bin-1.6.3-1.el7_2.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"golang-docs-1.6.3-1.el7_2.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"golang-misc-1.6.3-1.el7_2.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"golang-src-1.6.3-1.el7_2.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"golang-tests-1.6.3-1.el7_2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"golang / golang-bin / golang-docs / golang-misc / golang-src / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:15:31", "bulletinFamily": "scanner", "description": "An update for golang is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe golang packages provide the Go programming language compiler.\n\nThe following packages have been upgraded to a newer upstream version:\ngolang (1.6.3). (BZ#1346331)\n\nSecurity Fix(es) :\n\n* An input-validation flaw was discovered in the Go programming\nlanguage built in CGI implementation, which set the environment\nvariable ", "modified": "2019-11-02T00:00:00", "id": "CENTOS_RHSA-2016-1538.NASL", "href": "https://www.tenable.com/plugins/nessus/92680", "published": "2016-08-03T00:00:00", "title": "CentOS 7 : golang (CESA-2016:1538) (httpoxy)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:1538 and \n# CentOS Errata and Security Advisory 2016:1538 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92680);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2019/10/02 15:30:20\");\n\n script_cve_id(\"CVE-2015-5739\", \"CVE-2015-5740\", \"CVE-2015-5741\", \"CVE-2016-3959\", \"CVE-2016-5386\");\n script_xref(name:\"RHSA\", value:\"2016:1538\");\n\n script_name(english:\"CentOS 7 : golang (CESA-2016:1538) (httpoxy)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for golang is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe golang packages provide the Go programming language compiler.\n\nThe following packages have been upgraded to a newer upstream version:\ngolang (1.6.3). (BZ#1346331)\n\nSecurity Fix(es) :\n\n* An input-validation flaw was discovered in the Go programming\nlanguage built in CGI implementation, which set the environment\nvariable 'HTTP_PROXY' using the incoming 'Proxy' HTTP-request header.\nThe environment variable 'HTTP_PROXY' is used by numerous web clients,\nincluding Go's net/http package, to specify a proxy server to use for\nHTTP and, in some cases, HTTPS requests. This meant that when a\nCGI-based web application ran, an attacker could specify a proxy\nserver which the application then used for subsequent outgoing\nrequests, allowing a man-in-the-middle attack. (CVE-2016-5386)\n\nRed Hat would like to thank Scott Geary (VendHQ) for reporting this\nissue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-August/022005.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e91e6b89\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected golang packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:golang-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:golang-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:golang-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:golang-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:golang-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"golang-1.6.3-1.el7_2.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"golang-bin-1.6.3-1.el7_2.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"golang-docs-1.6.3-1.el7_2.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"golang-misc-1.6.3-1.el7_2.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"golang-src-1.6.3-1.el7_2.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"golang-tests-1.6.3-1.el7_2.1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"golang / golang-bin / golang-docs / golang-misc / golang-src / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:05", "bulletinFamily": "unix", "description": "\nJason Buberel, Go Product Manager, reports:\n\nCVE-2015-5739 - \"Content Length\" treated as valid header\nCVE-2015-5740 - Double content-length headers does not return 400\n\t error\nCVE-2015-5741 - Additional hardening, not sending Content-Length\n\t w/Transfer-Encoding, Closing connections\n\n", "modified": "2015-07-29T00:00:00", "published": "2015-07-29T00:00:00", "id": "4464212E-4ACD-11E5-934B-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/4464212e-4acd-11e5-934b-002590263bf5.html", "title": "go -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2019-05-29T19:20:36", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nAs discussed upstream -- [here ](<http://seclists.org/oss-sec/2015/q3/294>) and [here](<http://seclists.org/oss-sec/2015/q3/237>) \\-- the Go project received notification of an HTTP request smuggling vulnerability in the net/http library. Invalid headers are parsed as valid headers (like \"Content Length:\" with a space in the middle) and Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored.\n\n \n**Affected Packages:** \n\n\ngolang,docker\n\n \n**Issue Correction:** \nRun _yum update golang docker_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n golang-pkg-bin-linux-386-1.4.2-3.16.amzn1.i686 \n golang-1.4.2-3.16.amzn1.i686 \n \n noarch: \n golang-pkg-plan9-386-1.4.2-3.16.amzn1.noarch \n golang-pkg-netbsd-arm-1.4.2-3.16.amzn1.noarch \n golang-pkg-windows-amd64-1.4.2-3.16.amzn1.noarch \n golang-pkg-openbsd-386-1.4.2-3.16.amzn1.noarch \n golang-pkg-freebsd-amd64-1.4.2-3.16.amzn1.noarch \n golang-pkg-windows-386-1.4.2-3.16.amzn1.noarch \n golang-pkg-openbsd-amd64-1.4.2-3.16.amzn1.noarch \n golang-pkg-darwin-amd64-1.4.2-3.16.amzn1.noarch \n golang-pkg-freebsd-386-1.4.2-3.16.amzn1.noarch \n golang-pkg-linux-arm-1.4.2-3.16.amzn1.noarch \n golang-pkg-darwin-386-1.4.2-3.16.amzn1.noarch \n golang-pkg-netbsd-386-1.4.2-3.16.amzn1.noarch \n golang-pkg-linux-386-1.4.2-3.16.amzn1.noarch \n golang-src-1.4.2-3.16.amzn1.noarch \n golang-pkg-netbsd-amd64-1.4.2-3.16.amzn1.noarch \n golang-pkg-linux-amd64-1.4.2-3.16.amzn1.noarch \n golang-pkg-freebsd-arm-1.4.2-3.16.amzn1.noarch \n golang-pkg-plan9-amd64-1.4.2-3.16.amzn1.noarch \n \n src: \n golang-1.4.2-3.16.amzn1.src \n docker-1.6.2-1.3.amzn1.src \n \n x86_64: \n golang-1.4.2-3.16.amzn1.x86_64 \n golang-pkg-bin-linux-amd64-1.4.2-3.16.amzn1.x86_64 \n docker-1.6.2-1.3.amzn1.x86_64 \n docker-devel-1.6.2-1.3.amzn1.x86_64 \n docker-pkg-devel-1.6.2-1.3.amzn1.x86_64 \n \n \n", "modified": "2015-08-24T22:42:00", "published": "2015-08-24T22:42:00", "id": "ALAS-2015-588", "href": "https://alas.aws.amazon.com/ALAS-2015-588.html", "title": "Medium: golang,docker", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:33:05", "bulletinFamily": "software", "description": "Golang 1.4.3 CVE Fixes\n\n# \n\nLow\n\n# Vendor\n\nGoogle\n\n# Versions Affected\n\n * Golang v1.4.2 and lower \n\n# Description\n\nSeveral security issues were fixed in Go\u2019s net / http package.\n\nThe CVE issue descriptions and fixes are linked below:\n\n * CVE-2015-5739 \u2013 \u2018Content Length\u2019 treated as valid header: <https://go-review.googlesource.com/#/c/11772/>\n * CVE-2015-5740 \u2013 Double content-length headers does not return 400 error: <https://go-review.googlesource.com/#/c/11810/>\n * CVE-2015-5741 \u2013 Additional hardening, not sending Content-Length w/Transfer-Encoding, Closing connections:\n * <https://go-review.googlesource.com/#/c/11810/>\n * <https://go-review.googlesource.com/#/c/12865/>\n * <https://go-review.googlesource.com/#/c/13148/>\n\n# Affected Products and Versions\n\n_Severity is low unless otherwise noted. \n_\n\n * BOSH: All versions of Cloud Foundry BOSH stemcells prior to v3094 are vulnerable to the aforementioned CVE. \n * Cloud Foundry Runtime: all versions of cf-release prior to 219 are vulnerable to the aforementioned CVEs. \n * Go Buildpack: all versions of the buildpack prior to 1.6.2 contain a vulnerable version of Go. \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry project recommends that Cloud Foundry Deployments using BOSH stemcell v3093 or earlier upgrade to v3094 or later, which contain the patched versions of the Linux kernel to resolve the aforementioned CVEs. \n * The Cloud Foundry project recommends that Cloud Foundry Deployments using cf-release 218 or lower upgrade to 219 or higher to resolve the aforementioned CVEs. \n\n# Credit\n\nJed Denlea and R\u00e9gis Leroy\n\n# References\n\n * <https://groups.google.com/forum/#!topic/golang-announce/iSIyW4lM4hY>\n * <https://bosh.io/stemcells>\n * <https://github.com/cloudfoundry/cf-release>\n", "modified": "2015-10-07T00:00:00", "published": "2015-10-07T00:00:00", "id": "CFOUNDRY:49E12FFB172ED25FC5E4B1AC01EEF7BF", "href": "https://www.cloudfoundry.org/blog/golang-1-4-3/", "title": "Golang 1.4.3 CVE Fixes | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-05-29T18:35:46", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:1538\n\n\nThe golang packages provide the Go programming language compiler.\n\nThe following packages have been upgraded to a newer upstream version: golang (1.6.3). (BZ#1346331)\n\nSecurity Fix(es):\n\n* An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable \"HTTP_PROXY\" using the incoming \"Proxy\" HTTP-request header. The environment variable \"HTTP_PROXY\" is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack. (CVE-2016-5386)\n\nRed Hat would like to thank Scott Geary (VendHQ) for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-August/022005.html\n\n**Affected packages:**\ngolang\ngolang-bin\ngolang-docs\ngolang-misc\ngolang-src\ngolang-tests\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-1538.html", "modified": "2016-08-02T21:57:55", "published": "2016-08-02T21:57:55", "id": "CESA-2016:1538", "href": "http://lists.centos.org/pipermail/centos-announce/2016-August/022005.html", "title": "golang security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:45:08", "bulletinFamily": "unix", "description": "The golang packages provide the Go programming language compiler.\n\nThe following packages have been upgraded to a newer upstream version: golang (1.6.3). (BZ#1346331)\n\nSecurity Fix(es):\n\n* An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable \"HTTP_PROXY\" using the incoming \"Proxy\" HTTP-request header. The environment variable \"HTTP_PROXY\" is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack. (CVE-2016-5386)\n\nRed Hat would like to thank Scott Geary (VendHQ) for reporting this issue.", "modified": "2018-04-12T03:32:51", "published": "2016-08-02T17:46:33", "id": "RHSA-2016:1538", "href": "https://access.redhat.com/errata/RHSA-2016:1538", "type": "redhat", "title": "(RHSA-2016:1538) Moderate: golang security, bug fix, and enhancement update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2019-11-20T17:03:05", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "Theses reports spreads other several years and are all about **HTTP Smuggling issues**\n(HTTP Requests or Responses splitting, Cache Poisoning, Security filter bypass).\nI've made reports on a wide range of open source projects, explaining\nthe (not always easy) problems to the various security maintainers and testing the fixs.\n\nThe starting point for this work was the 2005 work published by Amit Klein and some others:\n\n * 2004 - Amit Klein : \"Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics\" https://packetstormsecurity.com/papers/general/whitepaper_httpresponse.pdf\n * 2005 - Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin: \"HTTP Request Smuggling\" https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf\n * 2006 - Amit Klein: \"HTTP Message Splitting, Smuggling and Other Animals\" www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt \n * 2005 - Amit Klein: \"HTTP Request Smuggling - ERRATA (the IIS 48K buffer phenomenon)\" \n * 2006 - Amit Klein: \u201cHTTP Response Smuggling\u201d https://www.securityfocus.com/archive/1/425593\n * 2006 - Amit Klein\u00a0: HTTP Response Smuggling http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2006-February/000836.html\n * RFC 7230 section 9 (splitting, parsing, smuggling, poisoning) https://tools.ietf.org/html/rfc7230#section-9\n\nAnd also the works of James Kettle on HTTP Host headers \"Practical HTTP Host header attacks (Absolute uri in host headers)\"\nhttps://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html\nand, later, his work on ESI server or pingbacks and cache attacks or Pratical Web Cache Poisoning.\n\nIn 2015, Starting from these past studies, I studied **Apache**, **Nginx**, **Varnish** source code, I discovered\nthat a lot of smuggling problems were still present, found new ones based on overflows for the size\nattributes (previous works were mostly based on doubling length information) and expanded my works on\n**Golang**, **Nodejs**, **pound**, **HaProxy**, **Jetty**, **Tomcat**, **Apache Traffic Server**...\n\nI sometime had to push for disclosure of fixed vulnerabilitie (Varnish 3) via bugtraq.\nBut in most of the case it's been a matter a patience -- the long time between reports and fixes\nha also something to deal with lazyness on my side as security is not the biggest part of my job --\nas most of the fix implies updates on HTTP servers, which is not something as fast as updating a web\napplication framework. I did not get a security report or a CVE for each reported flaw, especially\non the first years. Smuggling is sometimes hard to explain (and public disclosure policies\nare not always liked on HTTP servers dev teams).\n\nThe main problem of HTTP smuggling issues is that the final exploitation comes from **interactions between different http parsers**. If two actors badly interprets the HTTP message or disagree on the right\ninterpretation then bad things could happen. From the security maintainer point of view it's sometimes\neasy to reject the problem as coming from the others.\n\nIt's also **very important** to understand that the attacker controls the HTTP message, **we do not use HTTP messages from browsers**, the attacker injects bad HTTP messages onto servers infrastructures, effects on the users comes later, when the real user HTTP messages reach the *infected* or *shaken* servers. *Like when you do report a smuggling issue on hackerone reports, they prevent reporters that issues about header injection are not always security issues because we cannot control the user headers. That's a huge misunderstanding of smuggling payloads*.\n\nI've made some blog posts explaining details (I still have one awaiting vendor authorization) for some\nof the fixed problems.\n\nAnd I also made a **Defcon 24** presentation on 2016. For someone knowing nothing on smuggling\nit's a good starting point (links on next part below).\n\nNote : my work is usually reported with the name 'regilero', and sometimes 'R\u00e9gis Leroy'.\n\n# Public ressources published\n\n * 2015 : Nginx Integer truncation : https://regilero.github.io/english/security/2015/03/25/nginx-integer_truncation/\n * 2015\u00a0: Checking HTTP Smuggling issues in 2015 \u2013 Part1 http://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one \n * 2016\u00a0: Defcon 24\u00a0: Hiding Wookiees in HTTP: HTTP smuggling https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Regilero-Hiding-Wookiees-In-Http.pdf\n - Defcon presentation : https://www.youtube.com/watch?v=dVU9i5PsMPY\n - Defcon demos : https://www.youtube.com/watch?v=lY_Mf2Fv7kI (which were not available on time due to Linux not supported by Defcon !!)\n * 2018 : HTTP Smuggling, Apsis Pound load balancer : https://regilero.github.io/english/security/2018/07/03/security_pound_http_smuggling/\n * 2019 : HTTP Smuggling, Jetty : https://regilero.github.io/english/security/2019/04/24/security_jetty_http_smuggling/\n \nTools: HTTPWookiee : https://github.com/regilero/HTTPWookiee : this contains a small subset of the real tests I perform on HTTP servers.\n\n# List of CVEs\n\n## Apache Traffic Server\n\n * **CVE-2018-8004** : space before colon + force connection close on error 400 + duplicate Content-Lenght issues + bad parsing of request size on cache hit\n\n## Jetty\n\n * **CVE-2017-7656** : HTTP/0.9 Request Smuggling\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656 (score 6.5)\n\n * **CVE-2017-7657**: Transfer-Encoding Request Smuggling\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657 (score 6.5)\n\n * **CVE-2017-7658**: Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace \n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658 (score 6.5)\n\n\n# Apache httpd\n\n * https://bz.apache.org/bugzilla/show_bug.cgi?id=57832 : Apache issues on 'socket poisoning', where we could store HTTP responses on\n the reverse proxy by sending extra responses, and mix these response with other users later. Not fixed via a CVE because this behavior\n was not considered as a real security issue (it's a consequence of a successful splitting attack on the backend, or of a compromised backend).\n If you ask my opinion this is one of the most problematic issue I found on these 5 years. Fixs were included in 2016 on version 2.4.24.\n\n * **CVE-2016-8743** : httpd: Apache HTTP Request Parsing Whitespace Defects : problems with CR, FF, VTAB and others strange characeters in parsing HTTP messages\n especially the space before colon problem. They were also some HTTP 0.9 downgrades.\n This work contributed to the internal dev debates around the HttpProtocolOptions\u00a0Strict|LenientMethods|Allow0.9 option added on 2.4\n\n * **CVE-2015-3183** : chunk header attribute truncation (low)\n\n# Facebook Proxygen\n\nProxygen is a C++ Open Source library which is the core library for Facebook HTTP related projects\n\nIn 2016 I reported several smuggling issues (about doubled headers or bad end of line, for example), via the facebook bounty program `#1710044992591113`\n\n# Apsis Pound\n\nPound is an open Source SSL terminator, but the project has not published major changes for a long time, and I experienced difficulties having my reports fixed and delivered to final users.\nAfter reports on 09-2016 a Version 2.8a fixing the flaws was published on 10-2016 but marked as experimental.\nDetails of the flaws were published in 07-2018. CVE was reserved by myslef on 2018-01. A version 2.8 was published on 2018-05.\n\n * **CVE-2016-10711** : Apsis Pound before 2.8a allows request smuggling via crafted headers\n\nDetails of issues (double Content Length, chunk prioriy, headers concatenation vuia NULL character, etc.) are published on my blog post https://regilero.github.io/english/security/2018/07/03/security_pound_http_smuggling/\n\n# Nodejs\n\n * **CVE-2016-2086** (but not CVE-2016-2216 from the same release) : support of bad end of lines (especially \\r followed by anything) + double Content Length, + mixed chunked and Content Length + space before colon\n\n# Tomcat\n\n * **CVE-2016-6816** : Tomcat 6,7 & 8: HTTP/0.9 downgrade and various bad characters support\n\n#\u00a0Varnish\n\n * Varnish3 : **CVE-2015-8852** : received after public disclosure : https://seclists.org/oss-sec/2016/q2/95\n * Varnish4 : 2016 : space before colon fix without CVE : https://github.com/varnishcache/varnish-cache/commit/0577f3fba200e45c05099427eec01610ee061436\n cache poisoning of Varnish4 with a golang traefik server as backend was demonstrated to the project maintainer, but the project 'does not like CVE'.\n * Varnish 4 : 2016 messsage splitting on bad characters fixed without CVE : https://github.com/varnishcache/varnish-cache/commit/d1eb31109f614976f06dd506a63e0fa21185a89b\n\nHTTP/0.9 support was also removed after my reports in 2015, but without public disclosure of potential abuse.\n\n# golang (go language)\n\n * **CVE-2015-5739** : \"Content Length\" magically fixed to \"Content-Length.\"\n * **CVE-2015-5740** : support of double Content-Length\n * 01-2016\u00a0: integer overflow on chunk size : https://go-review.googlesource.com/c/go/+/18871\n * 06-2016\u00a0: downgrade HTTP/0.9 : https://github.com/golang/go/issues/16197, no CVE, as described in the commit comment\n \"@regilero also mentioned there might be some cache poisoning or request smuggling possibilities here, but I don't see how. It seems to only affect the person making the bogus request.\" (sic)\n * 06-2016\u00a0: Splitting on space + colon\n\n# Nginx\n\nNot the project where I had the most success, I do not think any smuggling issue would be considered a security issue.\n\n * Integer overflow on Content Length : fixed without CVE : http://hg.nginx.org/nginx/rev/15a15f6ae3a2 after a report and a proposed patch (not as good as the final one)\n the security team 'don't consider this to be something serious from security point of view and have no plans for CVE and/or security advisories'.\n I made examples of exploitation at https://regilero.github.io/english/security/2015/03/25/nginx-integer_truncation/\n * https://trac.nginx.org/nginx/ticket/762 : 0.9 downgrade: protocol version overflow; HTTP/65536.8 or HTTP/65536.9 treated as a 0.9 request\n rejected as a security issue, classified as minor issue, fixed 1 year and 6 month after public report (11-2016). This was in my mind quite huge.\n * https://trac.nginx.org/nginx/ticket/1014 : wontfix : I'd like an error 400 instead of silently ignoring a bad header, no success\n\n# OpenBSD\n\nIn 2015 the OpenBSD Http server was very new, crashing on 0.9 requests, I reported some smuggling issues (bad end of line, double Content-Length) which were fixed later.\n\n# HaProxy\n\nHaProxy was transmitting some of the very bad request I use to perform splitting attacks on backends (something which is not a security issue, but which allows security issues).\nI had various discussions with Willy Tarreau which leaded to some improvments in HaProxy, blocking bad requests before any less robust HTTP parser could read it.\n\nFor example:\n\n * commit 987aa383c85525b163267110a4bcff4dff3849b8 : BUG/MEDIUM: http: remove content-length from chunked messages\n * commit e1ce063c12bf22b99e6caa6a55484f1b9a27e113 : MEDIUM: http: disable support for HTTP/0.9 by default\n * commit b053c03d6f05c8ddf264de78fe321d8455358690 : MEDIUM: http: restrict the HTTP version token to 1 digit as per RFC7230\n\n# Summary\n\nI think this work allows for more robusts HTTP servers. Some of the very old issues already reported in the 2005 era reports, like double Content Length,\nwere still widely supported in 2015 and are now harder to find on most open source http servers. I think I contributed greatly to enforce the RFC 7230\nanti-smuggling policies (chunk priority, no double content-length) and for the removal of old-rfc dangerous features (like the continuation of headers\nwith the space prefix, or the HTTP/0.9 support). For this I just had to read the 2005 studies and the RFC, tests the servers, and try to explain\nexploitations.\n\nA big part of my added work and reports was studying effects of control characters (\\r, \\n, NULL, vtab, htab, bell, backspace & formfeed) on various parts of the messages.\nWith some real good success on vartious project for NULL or for bad enf of lines.\nAnother big thing was studying the HTTP/0.9 downgrade exploitations (like extracting a valid HTTP message stored in an image from a partial 0.9 response) and\nfinding new 0.9 downgrade vectors.\nFinally another part of this work was finding new attack vectors (truncation of size, overflows, concatenation of strings, effects of cache hit on header parsing, etc).\n\nThe last big part of my work was spending a long time explaining the potential attacks to maintainers. If you need hints from people understanding the smuggling attacks\nand the implications of the fixed flaws, usually better than the project maintainers, I could give you some names. If you need samples of reports or detailled lab exploitations I could also deliver.\n\nHTTP/2 or TLS are not preventing bad effects of HTTP/1.1 bad parsers (they embed HTTP/1.1 parsers in another layer), nor they could prevent effects of an HTTP/0.9 downgrades.\nEvery HTTP actors which enforces a more robust protocol parsing prevents chaining effects of smuggling attacks.\nSo I hope the work I made on the subject had real effects on the ecosystem.\n\nSome of these CVE were already elected for bounties:\n- Verizon: undisclosed (#433076): 2 700 USD\n- Apache httpd CVE-2016-8743 : https://hackerone.com/reports/244459 : 1500 USD\n- FaceBook Proxygen: (bugcrowd) 1000 USD\n- Golang CVE-2015-5739 &CVE-2015-5740 : Google Security Bounty program : 1337 USD\n\n## Impact\n\nFor the final user the consequences may be huge:\n- Cache poisoning : so effects starts at Deny of Service, but may go to code injection (like replacing\n the code of a well known js library)\n- Credentials hijacking : one of the smuggling exploitation is storing unterminated requests and waiting\n for other users requests to terminate the pending requests, mixing the users credentials on something\n they did not requested (hijacking users credentials). But this cannot work on applications using csrf protections.\n- a lot of Deny of Service attacks, one of the attacks allows mixing requests and responses of\n different users, so you have documents requested by others, and they have yours.\n- security filter bypass: here the public effect is less important, the attacker use smuggling to\n remove some of the security layers\n\nA massive scale smuggling attack on a big actor (a cloud provider for example) could make a huge DOS.\nA more realist usage with a public consequence is a targeted cache poisoning, to inject an XSS.\nAn advanced usage is the filter bypass usage, where the smuggled requests is usually not even logged. A prefect way of sending requests without notices, so a nice tool for SSRF exploits.", "modified": "2019-11-12T23:44:23", "published": "2019-07-17T22:47:10", "id": "H1:648434", "href": "https://hackerone.com/reports/648434", "type": "hackerone", "title": "The Internet: Multiple HTTP Smuggling reports", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}