CVE-2021-31525

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service panic via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations...

CVE-2021-31525

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service panic via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations...

FreeBSD : go -- net/http: ReadRequest can stack overflow due to recursion with very large headers (7f242313-aea5-11eb-8151-67f74cf7c704)

The Go project reports : http.ReadRequest can stack overflow due to recursion when given a request with a very large header 8-10MB depending on the architecture. A http.Server which overrides the default max header of 1MB by setting Server.MaxHeaderBytes to a much larger value could also be...

golang: data race in certain net/http servers including ReverseProxy can lead to DoS

A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability...

go -- multiple vulnerabilities

The Go project reports: The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents. ReverseProxy in net/http/httputil could be made to forward certain hop-by-hop headers, including Connection. In case the...

go -- net/http: ReadRequest can stack overflow due to recursion with very large headers

The Go project reports: http.ReadRequest can stack overflow due to recursion when given a request with a very large header 8-10MB depending on the architecture. A http.Server which overrides the default max header of 1MB by setting Server.MaxHeaderBytes to a much larger value could also be...

Ruby: 'net/http': HTTP Header Injection in the set_content_type method

The set\content\type's parameter is not filtered to prevent the injection from altering the entire request. The vulnerable code: ruby def setcontenttypetype, params = @header'content-type' = type + params.map|k,v|"; k=v".join'' end PoC 1. ruby require 'net/http' uri = URI'http://127.0.0.1:8080' r...

CentOS 8 : go-toolset:rhel8 (CESA-2020:5493)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:5493 advisory. - golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS CVE-2020-24553 - golang: math/big: panic during recursive...

golang: data race in certain net/http servers including ReverseProxy can lead to DoS

A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability...

RHEL 8 : Red Hat OpenShift Service Mesh 1.1.11 (RHSA-2020:5649)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5649 advisory. Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise...

Moderate: Red Hat Security Advisory: go-toolset:rhel8 security update

An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Security Bulletin: A security vulnerability in GO affects IBM Cloud Pak for Multicloud Management Managed Service.

Summary A security vulnerability in GO affects IBM Cloud Pak for Multicloud Management Managed Service. Vulnerability Details CVEID: CVE-2020-15586 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP...

SUSE SLED15 / SLES15 Security Update : go1.14 (SUSE-SU-2020:2761-1)

This update for go1.14 fixes the following issues : go1.14.9 released 2020-09-09 includes fixes to the compiler, linker, runtime, documentation, and the net/http and testing packages. Refs bsc1164903 go1.14 release tracking - go41192 net/http/fcgi: race detected during execution of...

SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2020:3368-1)

This update for go1.15 fixes the following issues : go1.15.5 released 2020-11-12 includes security fixes to the cmd/go and math/big packages. - go42553 math/big: panic during recursive division of very large numbers bsc1178750 CVE-2020-28362 - go42560 cmd/go: arbitrary code can be injected into c...

openSUSE Security Update : go1.15 (openSUSE-2020-2139)

This update for go1.15 fixes the following issues : - go1.15.5 released 2020-11-12 includes security fixes to the cmd/go and math/big packages. - go42553 math/big: panic during recursive division of very large numbers bsc1178750 CVE-2020-28362 - go42560 cmd/go: arbitrary code can be injected into...

openSUSE Security Update : go1.14 (openSUSE-2020-2067)

This update for go1.14 fixes the following issues : - go1.14.12 released 2020-11-12 includes security fixes to the cmd/go and math/big packages. - go42553 math/big: panic during recursive division of very large numbers bsc1178750 CVE-2020-28362 - go42560 cmd/go: arbitrary code can be injected int...

openSUSE Security Update : go1.14 (openSUSE-2020-2047)

This update for go1.14 fixes the following issues : - go1.14.12 released 2020-11-12 includes security fixes to the cmd/go and math/big packages. - go42553 math/big: panic during recursive division of very large numbers bsc1178750 CVE-2020-28362 - go42560 cmd/go: arbitrary code can be injected int...

Security update for go1.14 (moderate)

openSUSE Security Update: Security update for go1.14 Announcement ID: openSUSE-SU-2020:2047-1 Rating: moderate References: 1164903 1178750 1178752 1178753 Cross-References: CVE-2020-28362 CVE-2020-28366 CVE-2020-28367 Affected Products: openSUSE Leap 15.1 An update that solves three vulnerabiliti...

RHEL 7 / 8 : OpenShift Container Platform 4.5.20 packages and golang (RHSA-2020:5119)

The remote Redhat Enterprise Linux 7 / 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:5119 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or...

Updated golang packages fix a security vulnerability

A flaw was found in Go standard library packages. Both the net/http/cgi and net/http/fcgi packages use a default Content-Type response header value of "text/html", rather than "text/plain". An attacker could exploit this in applications using these packages by uploading crafted files, allowing fo...