https://bugzilla.redhat.com/show_bug.cgi?id=1250352
Bug ID: 1250352 Summary: golang: HTTP request smuggling in net/http library Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: admiller@redhat.com, golang@lists.fedoraproject.org, lemenkov@gmail.com, renich@woralelandia.com, s@shk.io, thrcka@redhat.com, vbatts@redhat.com
There have been found potentially exploitable flaws in Golang net/http library affecting versions 1.4.2 and 1.5.
Problems: * Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored. * Invalid headers are parsed as valid headers (like "Content Length:" with a space in the middle)
Exploitations: In a situation where the net/http agent HTTP communication with the final http clients is using some reverse proxy (reverse proxy cache, SSL terminators, etc), some requests can be made exploiting the net/http HTTP protocol violations.
Attacker could possibly: * bypass security controls on theses previous elements * perform some cache poisoning on these elements * alter the request/response map on these previous elements (for DOS)
CVE request: http://seclists.org/oss-sec/2015/q3/237
Upstream patches: https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9 https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e