group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #38411
[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553
** Description changed:
[Impact]
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
is the default for CGI/FCGI handlers that lack a Content-Type header.
[Test Case]
Described as POC at https://www.redteam-pentesting.de/en/advisories/rt-
sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-
lead-to-cross-site-scripting:
1. Use the snippet of CGI go code provided and run it: go run poc.go
2. Run nginx with the config provided to forward the FastCGI calls to the go program.
3. curl -i -o - http://localhost:8000
4. Observe the output.
In an affected golang build the output will say:
Content-Type: text/html (...)
while in the fixed version it should recognize the content type correctly as:
Content-Type: image/png
[Where problems could occur]
* It may affect deployments where go apps are used as CGI scripts - if
the setup was incorrectly relying on hard-coded content type it may
require fixing it.
[Other Info]
+ * It has been specifically backported upstream in release 1.14 series:
+ https://go.googlesource.com/go/+/8fcee8abbea1bb959c63a6944f9ddf490a97f802
+
+ $ git tag --contains 8fcee8abbe
+ go1.14.10
+ go1.14.11
+ go1.14.12
+ go1.14.13
+ go1.14.14
+ go1.14.15
+ go1.14.8
+ go1.14.9
+
+
* The fix is present in golang-1.15 for hirsute and groovy.
** Also affects: golang-1.15 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: golang-1.15 (Ubuntu)
Status: New => Fix Released
** Changed in: golang-1.14 (Ubuntu Hirsute)
Assignee: (unassigned) => Dariusz Gadomski (dgadomski)
** Changed in: golang-1.14 (Ubuntu Groovy)
Assignee: (unassigned) => Dariusz Gadomski (dgadomski)
** Changed in: golang-1.14 (Ubuntu Focal)
Assignee: (unassigned) => Dariusz Gadomski (dgadomski)
** Changed in: golang-1.10 (Ubuntu Bionic)
Assignee: (unassigned) => Dariusz Gadomski (dgadomski)
** Changed in: golang-1.10 (Ubuntu Xenial)
Assignee: (unassigned) => Dariusz Gadomski (dgadomski)
** Changed in: golang-1.14 (Ubuntu Hirsute)
Status: New => In Progress
** Changed in: golang-1.14 (Ubuntu Groovy)
Status: New => In Progress
** Changed in: golang-1.14 (Ubuntu Focal)
Status: New => In Progress
** Changed in: golang-1.10 (Ubuntu Xenial)
Status: New => In Progress
** Changed in: golang-1.10 (Ubuntu Bionic)
Status: New => In Progress
** Description changed:
[Impact]
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
is the default for CGI/FCGI handlers that lack a Content-Type header.
[Test Case]
Described as POC at https://www.redteam-pentesting.de/en/advisories/rt-
sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-
lead-to-cross-site-scripting:
1. Use the snippet of CGI go code provided and run it: go run poc.go
2. Run nginx with the config provided to forward the FastCGI calls to the go program.
3. curl -i -o - http://localhost:8000
4. Observe the output.
In an affected golang build the output will say:
Content-Type: text/html (...)
while in the fixed version it should recognize the content type correctly as:
Content-Type: image/png
[Where problems could occur]
* It may affect deployments where go apps are used as CGI scripts - if
the setup was incorrectly relying on hard-coded content type it may
require fixing it.
[Other Info]
- * It has been specifically backported upstream in release 1.14 series:
+ * It has been specifically backported upstream in release 1.14 series (Starting w/ 1.14.8) as follows:
https://go.googlesource.com/go/+/8fcee8abbea1bb959c63a6944f9ddf490a97f802
$ git tag --contains 8fcee8abbe
go1.14.10
go1.14.11
go1.14.12
go1.14.13
go1.14.14
go1.14.15
go1.14.8
go1.14.9
-
* The fix is present in golang-1.15 for hirsute and groovy.
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1914372
Title:
Ubuntu packages affected by CVE-2020-24553
Status in golang-1.14 package in Ubuntu:
In Progress
Status in golang-1.15 package in Ubuntu:
Fix Released
Status in golang-1.10 source package in Xenial:
In Progress
Status in golang-1.10 source package in Bionic:
In Progress
Status in golang-1.14 source package in Focal:
In Progress
Status in golang-1.14 source package in Groovy:
In Progress
Status in golang-1.14 source package in Hirsute:
In Progress
Bug description:
[Impact]
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because
text/html is the default for CGI/FCGI handlers that lack a Content-
Type header.
[Test Case]
Described as POC at https://www.redteam-pentesting.de/en/advisories
/rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-
transport-may-lead-to-cross-site-scripting:
1. Use the snippet of CGI go code provided and run it: go run poc.go
2. Run nginx with the config provided to forward the FastCGI calls to the go program.
3. curl -i -o - http://localhost:8000
4. Observe the output.
In an affected golang build the output will say:
Content-Type: text/html (...)
while in the fixed version it should recognize the content type correctly as:
Content-Type: image/png
[Where problems could occur]
* It may affect deployments where go apps are used as CGI scripts -
if the setup was incorrectly relying on hard-coded content type it may
require fixing it.
[Other Info]
* It has been specifically backported upstream in release 1.14 series (Starting w/ 1.14.8) as follows:
https://go.googlesource.com/go/+/8fcee8abbea1bb959c63a6944f9ddf490a97f802
$ git tag --contains 8fcee8abbe
go1.14.10
go1.14.11
go1.14.12
go1.14.13
go1.14.14
go1.14.15
go1.14.8
go1.14.9
* The fix is present in golang-1.15 for hirsute and groovy.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+subscriptions
References
