golang: denial of service

Package(s):

golang

CVE #(s):

CVE-2016-5386

Created:

July 29, 2016

Updated:

October 14, 2016

Description:

From the CVE entry:

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

Alerts:

openSUSE	openSUSE-SU-2016:2536-1	go1.4	2016-10-14
Mageia	MGASA-2016-0317	golang	2016-09-23
openSUSE	openSUSE-SU-2016:2054-1	go	2016-08-12
openSUSE	openSUSE-SU-2016:2055-1	go	2016-08-12
Scientific Linux	SLSA-2016:1538-1	golang	2016-08-03
Oracle	ELSA-2016-1538	golang	2016-08-02
CentOS	CESA-2016:1538	golang	2016-08-02
Red Hat	RHSA-2016:1538-01	golang	2016-08-02
Fedora	FEDORA-2016-340e361b90	golang	2016-07-29
Fedora	FEDORA-2016-ea5e284d34	golang	2016-07-28

golang: denial of service

Posted Jul 29, 2016 16:24 UTC (Fri) by ejcx (guest, #109978) [Link]

This isn't really a denial of service attack. There are a couple of scary things that can happen here.

cgi scripts that are making credentialed requests might have those credentials exposed to remote servers. Then there's lots of possibilities for cgi scripts that make trust assertions about the server they are connecting to. It is surprisingly a scary attack, but not really a denial of service.

It might be a little pedantic to reclassify a vulnerability, but denial of service bugs get written off regularly as lower priority, and this could have a lot of impact beyond DoS.