989630 – (CVE-2015-5741) VUL-0: CVE-2015-5739,CVE-2015-5740,CVE-2015-5741: go: HTTP request smuggling in net/http library

Bug 989630 (CVE-2015-5741) - VUL-0: CVE-2015-5739,CVE-2015-5740,CVE-2015-5741: go: HTTP request smuggling in net/http library

Summary: VUL-0: CVE-2015-5739,CVE-2015-5740,CVE-2015-5741: go: HTTP request smuggling ...

Status:	RESOLVED FIXED

Alias:	CVE-2015-5741

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-07-19 19:30 UTC by Andreas Stieger
Modified:	2017-06-15 21:34 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-07-19 19:30:20 UTC

http://seclists.org/oss-sec/2015/q3/237

Upstream patches:
https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f
https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1250352
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5741
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5741.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5741

Comment 1 Andreas Stieger 2016-07-19 19:31:25 UTC

As submitted in 
https://build.opensuse.org/request/show/407624

Comment 2 Swamp Workflow Management 2016-07-27 17:12:18 UTC

openSUSE-SU-2016:1894-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 989630
CVE References: CVE-2015-5739,CVE-2015-5740,CVE-2015-5741
Sources used:
openSUSE 13.2 (src):    go-1.4.3-15.1

Comment 3 Marcus Meissner 2016-08-01 11:32:30 UTC

... and sles? and leap?

Comment 4 Thomas Boerger 2016-08-02 07:34:21 UTC

Leap 42.1 is not affected, upstream reports 1.4.x and 1.5.x to be affected while Leap got 1.6.2.

Comment 5 Thomas Boerger 2016-08-02 07:51:36 UTC

SLE 12 is also not affected as it's already using 1.6.1, for reference: https://build.suse.de/package/show/SUSE:SLE-12:Update/go

So I think this issue is resolved?!

Comment 6 Marcus Meissner 2016-08-02 08:06:27 UTC

werll, there also are packages: go1.5 and go1.4

are they in use and are they affected?

Comment 7 Thomas Boerger 2016-08-02 14:30:02 UTC

After talking to Marcus Meissner it looks like we can close this issue as resolved.

Comment 9 Marcus Meissner 2017-06-15 21:34:30 UTC

released