on Monday there was point release and new rc release for golang fixing
affecting CGI use cases. I have briefly checked all
packages depending on golang in Fedora and I have observed no such a use. If you have any
package(s) that uses(is used with) CGI and I have missed it please let me know(you should
rebuild your package).
Fix has been submitted to all active Fedora branches and is present in the buildroot
override, please test and provide karma, thanks :).
Original upstream announcement follows,
----- Forwarded Message -----
> From: "Chris Broadfoot" <cbro(a)golang.org>
> To: "golang-announce" <golang-announce(a)googlegroups.com>
> Sent: Monday, July 18, 2016 6:59:41 PM
> Subject: [security] Go 1.6.3 and 1.7rc2 are released
> A security-related issue was recently reported in Go's net/http/cgi package
> and net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2
> will contain a fix for this issue.
> Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw
> in the CGI components resulting in the HTTP_PROXY environment variable being
> set by the incoming Proxy header. This environment variable was also used to
> set the outgoing proxy, enabling an attacker to insert a proxy into outgoing
> requests of a CGI program.
> This is CVE-2016-5386 and was addressed by this change:
, tracked in this issue:
> The Go team would like to thank Dominic Scheirlinck for coordinating
> disclosure of this issue across multiple languages and CGI environments.
> Read more about "httpoxy" here: https://httpoxy.org/
> Go 1.6.3 also adds support for macOS Sierra. See
> Downloads are available at https://golang.org/dl
for all supported platforms.
> Chris (on behalf of the Go team)
> You received this message because you are subscribed to the Google Groups
> "golang-announce" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-announce+unsubscribe(a)googlegroups.com.
> For more options, visit https://groups.google.com/d/optout