Bugzilla – Bug 988487
VUL-1: CVE-2016-5386: go: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)
Last modified: 2019-10-17 14:26:36 UTC
bugbot adjusting priority
The vulnerable code seems to be: src/net/http/cgi/host.go :: ServeHTTP() > for k, v := range req.Header { > k = strings.Map(upperCaseAndUnderscore, k) > joinStr := ", " > if k == "COOKIE" { > joinStr = "; " > } > env = append(env, "HTTP_"+k+"="+strings.Join(v, joinStr)) > } Should skip "Proxy" headers (case-insensitive).
Affected in openSUSE. Not shipped in SLE. However due to the static linking there might be use CGI use case. Should be fixed with the next available update.
Public at https://httpoxy.org/ Go Go code must be deployed under CGI to be vulnerable. Usually, that’ll mean the vulnerable code uses the net/http/cgi package. As with Python, this is not considered a usual way of deploying Go as a web application, so this vulnerability should be relatively rare Go’s net/http/fcgi package, by comparison, does not set actual environment variables, so it is not vulnerable Vulnerable versions of net/http will trust and use HTTP_PROXY for outgoing requests, without checking if CGI is in use
Issue upstream (go): https://github.com/golang/go/issues/16405 Commit that fixes it for 1.6: https://github.com/golang/go/commit/a357d15e9ee36a1232ae071d9968c4cf10a672b4 This commit is included in 1.6.3 release https://github.com/golang/go/releases/tag/go1.6.3
affected code in go 1.5 https://github.com/golang/go/blob/release-branch.go1.5/src/net/http/cgi/host.go#L146 affected code in go 1.4 https://github.com/golang/go/blob/release-branch.go1.4/src/net/http/cgi/host.go#L140
Affected packages in openSUSE: openSUSE:13.2:Update (go1.4) openSUSE:Leap:42.1 (go 1.6.1) openSUSE:Factory (=Tumbleweed) (go1.6.2) devel:langauges:go (go1.6.2)
reproducer https://github.com/httpoxy/go-httpoxy-poc
This is an autogenerated message for OBS integration: This bug (988487) was mentioned in https://build.opensuse.org/request/show/415286 42.1 / go
This is an autogenerated message for OBS integration: This bug (988487) was mentioned in https://build.opensuse.org/request/show/417181 13.2+42.1+Backports:SLE-12 / go
openSUSE-SU-2016:2054-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 988487 CVE References: CVE-2016-5386 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): go-1.6.1-6.1
openSUSE-SU-2016:2055-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 988487 CVE References: CVE-2016-5386 Sources used: openSUSE Leap 42.1 (src): go-1.6.2-21.1 openSUSE 13.2 (src): go-1.4.3-18.1
openSUSE-SU-2016:2536-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 988487 CVE References: CVE-2016-5386 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): go1.4-1.4.3-6.1
released, or at least go internally upgraded and dependend programs will be queued
This is an autogenerated message for OBS integration: This bug (988487) was mentioned in https://build.opensuse.org/request/show/610123 Factory / go1.10
This is an autogenerated message for OBS integration: This bug (988487) was mentioned in https://build.opensuse.org/request/show/658307 Factory / go1.10 https://build.opensuse.org/request/show/658308 Factory / go1.11
This is an autogenerated message for OBS integration: This bug (988487) was mentioned in https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11
This is an autogenerated message for OBS integration: This bug (988487) was mentioned in https://build.opensuse.org/request/show/679777 Factory / go1.11
This is an autogenerated message for OBS integration: This bug (988487) was mentioned in https://build.opensuse.org/request/show/688187 Factory / go1.12