← Back to team overview

group.of.nepali.translators team mailing list archive

  1. group.of.nepali.translators team
  2. Mailing list archive
  3. Message #38370

[Bug 1914372] [NEW] Ubuntu packages affected by CVE-2020-24553

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

[Impact]

 Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
is the default for CGI/FCGI handlers that lack a Content-Type header.

[Test Case]

 Described as POC at https://www.redteam-pentesting.de/en/advisories/rt-
sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-
lead-to-cross-site-scripting:

 1. Use the snippet of CGI go code provided and run it: go run poc.go
 2. Run nginx with the config provided to forward the FastCGI calls to the go program.
 3. curl -i -o - http://localhost:8000
 4. Observe the output.

In a affected go build the output will say:
Content-Type: text/html (...)
while in the fixed version it should recognize the content type correctly as:
Content-Type: image/png

[Where problems could occur]

 * It may affect deployments where go apps are used as CGI scripts - if
the setup was incorrectly relying on hard-coded content type it may
require fixing it.

[Other Info]
 
 * The fix is present in golang-1.15 for hirsute and groovy.

** Affects: golang-1.10 (Ubuntu)
     Importance: High
         Status: New

** Affects: golang-1.14 (Ubuntu)
     Importance: High
         Status: New

** Affects: golang-1.10 (Ubuntu Xenial)
     Importance: High
         Status: New

** Affects: golang-1.14 (Ubuntu Xenial)
     Importance: Undecided
         Status: Invalid

** Affects: golang-1.10 (Ubuntu Bionic)
     Importance: High
         Status: New

** Affects: golang-1.14 (Ubuntu Bionic)
     Importance: Undecided
         Status: Invalid

** Affects: golang-1.14 (Ubuntu Focal)
     Importance: High
         Status: New

** Affects: golang-1.14 (Ubuntu Groovy)
     Importance: High
         Status: New

** Affects: golang-1.14 (Ubuntu Hirsute)
     Importance: High
         Status: New


** Tags: sts

** Also affects: golang-1.14 (Ubuntu Groovy)
   Importance: Undecided
       Status: New

** Also affects: golang-1.14 (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: golang-1.14 (Ubuntu Hirsute)
   Importance: High
       Status: New

** Also affects: golang-1.10 (Ubuntu)
   Importance: Undecided
       Status: New

** No longer affects: golang-1.10 (Ubuntu Hirsute)

** No longer affects: golang-1.10 (Ubuntu Groovy)

** No longer affects: golang-1.10 (Ubuntu Focal)

** Also affects: golang-1.10 (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: golang-1.14 (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: golang-1.10 (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: golang-1.14 (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: golang-1.14 (Ubuntu Xenial)
       Status: New => Invalid

** Changed in: golang-1.14 (Ubuntu Bionic)
       Status: New => Invalid

** Changed in: golang-1.10 (Ubuntu)
   Importance: Undecided => High

** Changed in: golang-1.10 (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: golang-1.10 (Ubuntu Bionic)
   Importance: Undecided => High

** Changed in: golang-1.14 (Ubuntu Focal)
   Importance: Undecided => High

** Changed in: golang-1.14 (Ubuntu Groovy)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

Status in golang-1.10 package in Ubuntu:
  New
Status in golang-1.14 package in Ubuntu:
  New
Status in golang-1.10 source package in Xenial:
  New
Status in golang-1.14 source package in Xenial:
  Invalid
Status in golang-1.10 source package in Bionic:
  New
Status in golang-1.14 source package in Bionic:
  Invalid
Status in golang-1.14 source package in Focal:
  New
Status in golang-1.14 source package in Groovy:
  New
Status in golang-1.14 source package in Hirsute:
  New

Bug description:
  [Impact]

   Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because
  text/html is the default for CGI/FCGI handlers that lack a Content-
  Type header.

  [Test Case]

   Described as POC at https://www.redteam-pentesting.de/en/advisories
  /rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-
  transport-may-lead-to-cross-site-scripting:

   1. Use the snippet of CGI go code provided and run it: go run poc.go
   2. Run nginx with the config provided to forward the FastCGI calls to the go program.
   3. curl -i -o - http://localhost:8000
   4. Observe the output.

  In a affected go build the output will say:
  Content-Type: text/html (...)
  while in the fixed version it should recognize the content type correctly as:
  Content-Type: image/png

  [Where problems could occur]

   * It may affect deployments where go apps are used as CGI scripts -
  if the setup was incorrectly relying on hard-coded content type it may
  require fixing it.

  [Other Info]
   
   * The fix is present in golang-1.15 for hirsute and groovy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next