[Bug 1250352] CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library

6 Jun 2016


      https://bugzilla.redhat.com/show_bug.cgi?id=1250352
--- Doc Text *updated* by Summer Long slong@redhat.com ---
HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries. Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted).  A non-authenticated attacker could exploit these flaws to bypass security controls, perform web-cache poisoning, or alter the request/response map (denial of service).
-- 
You are receiving this mail because:
You are on the CC list for the bug.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[Bug 1250352] CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library