← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

 

This bug was fixed in the package golang-1.10 - 1.10.4-2ubuntu1~18.04.2

---------------
golang-1.10 (1.10.4-2ubuntu1~18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: XSS (LP: #1914372)
    - debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
      net/http/cgi and net/http/fcgi.
    - CVE-2020-24553

 -- Dariusz Gadomski <dgadomski@xxxxxxxxxx>  Wed, 03 Feb 2021 08:42:42
+0100

** Changed in: golang-1.10 (Ubuntu Bionic)
       Status: In Progress => Fix Released

** Changed in: golang-1.10 (Ubuntu Xenial)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

Status in golang-1.14 package in Ubuntu:
  In Progress
Status in golang-1.15 package in Ubuntu:
  Fix Released
Status in golang-1.10 source package in Xenial:
  Fix Released
Status in golang-1.10 source package in Bionic:
  Fix Released
Status in golang-1.14 source package in Focal:
  Fix Released
Status in golang-1.14 source package in Groovy:
  In Progress
Status in golang-1.14 source package in Hirsute:
  In Progress

Bug description:
  [Impact]

   Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because
  text/html is the default for CGI/FCGI handlers that lack a Content-
  Type header.

  [Test Case]

   Described as POC at https://www.redteam-pentesting.de/en/advisories
  /rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-
  transport-may-lead-to-cross-site-scripting:

   1. Use the snippet of CGI go code provided and run it: go run poc.go
   2. Run nginx with the config provided to forward the FastCGI calls to the go program.
   3. curl -i -o - http://localhost:8000
   4. Observe the output.

  In an affected golang build the output will say:
  Content-Type: text/html (...)
  while in the fixed version it should recognize the content type correctly as:
  Content-Type: image/png

  [Where problems could occur]

   * It may affect deployments where go apps are used as CGI scripts -
  if the setup was incorrectly relying on hard-coded content type it may
  require fixing it.

  [Other Info]

   * It has been specifically backported upstream in release 1.14 series (Starting w/ 1.14.8) as follows:
  https://go.googlesource.com/go/+/8fcee8abbea1bb959c63a6944f9ddf490a97f802

  $ git tag --contains 8fcee8abbe
  go1.14.10
  go1.14.11
  go1.14.12
  go1.14.13
  go1.14.14
  go1.14.15
  go1.14.8
  go1.14.9

   * The fix is present in golang-1.15 for hirsute and groovy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+subscriptions


References