** No longer affects: golang-1.14 (Ubuntu Xenial) ** No longer affects: golang-1.14 (Ubuntu Bionic)
** No longer affects: golang-1.10 (Ubuntu) ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24553 -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1914372 Title: Ubuntu packages affected by CVE-2020-24553 Status in golang-1.14 package in Ubuntu: New Status in golang-1.10 source package in Xenial: New Status in golang-1.10 source package in Bionic: New Status in golang-1.14 source package in Focal: New Status in golang-1.14 source package in Groovy: New Status in golang-1.14 source package in Hirsute: New Bug description: [Impact] Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content- Type header. [Test Case] Described as POC at https://www.redteam-pentesting.de/en/advisories /rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi- transport-may-lead-to-cross-site-scripting: 1. Use the snippet of CGI go code provided and run it: go run poc.go 2. Run nginx with the config provided to forward the FastCGI calls to the go program. 3. curl -i -o - http://localhost:8000 4. Observe the output. In an affected golang build the output will say: Content-Type: text/html (...) while in the fixed version it should recognize the content type correctly as: Content-Type: image/png [Where problems could occur] * It may affect deployments where go apps are used as CGI scripts - if the setup was incorrectly relying on hard-coded content type it may require fixing it. [Other Info] * The fix is present in golang-1.15 for hirsute and groovy. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp