** Description changed: [Impact] Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. [Test Case] Described as POC at https://www.redteam-pentesting.de/en/advisories/rt- sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may- lead-to-cross-site-scripting: 1. Use the snippet of CGI go code provided and run it: go run poc.go 2. Run nginx with the config provided to forward the FastCGI calls to the go program. 3. curl -i -o - http://localhost:8000 4. Observe the output. In an affected golang build the output will say: Content-Type: text/html (...) while in the fixed version it should recognize the content type correctly as: Content-Type: image/png [Where problems could occur] * It may affect deployments where go apps are used as CGI scripts - if the setup was incorrectly relying on hard-coded content type it may require fixing it. [Other Info] + * It has been specifically backported upstream in release 1.14 series: + https://go.googlesource.com/go/+/8fcee8abbea1bb959c63a6944f9ddf490a97f802 + + $ git tag --contains 8fcee8abbe + go1.14.10 + go1.14.11 + go1.14.12 + go1.14.13 + go1.14.14 + go1.14.15 + go1.14.8 + go1.14.9 + + * The fix is present in golang-1.15 for hirsute and groovy.
** Also affects: golang-1.15 (Ubuntu) Importance: Undecided Status: New ** Changed in: golang-1.15 (Ubuntu) Status: New => Fix Released ** Changed in: golang-1.14 (Ubuntu Hirsute) Assignee: (unassigned) => Dariusz Gadomski (dgadomski) ** Changed in: golang-1.14 (Ubuntu Groovy) Assignee: (unassigned) => Dariusz Gadomski (dgadomski) ** Changed in: golang-1.14 (Ubuntu Focal) Assignee: (unassigned) => Dariusz Gadomski (dgadomski) ** Changed in: golang-1.10 (Ubuntu Bionic) Assignee: (unassigned) => Dariusz Gadomski (dgadomski) ** Changed in: golang-1.10 (Ubuntu Xenial) Assignee: (unassigned) => Dariusz Gadomski (dgadomski) ** Changed in: golang-1.14 (Ubuntu Hirsute) Status: New => In Progress ** Changed in: golang-1.14 (Ubuntu Groovy) Status: New => In Progress ** Changed in: golang-1.14 (Ubuntu Focal) Status: New => In Progress ** Changed in: golang-1.10 (Ubuntu Xenial) Status: New => In Progress ** Changed in: golang-1.10 (Ubuntu Bionic) Status: New => In Progress ** Description changed: [Impact] Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. [Test Case] Described as POC at https://www.redteam-pentesting.de/en/advisories/rt- sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may- lead-to-cross-site-scripting: 1. Use the snippet of CGI go code provided and run it: go run poc.go 2. Run nginx with the config provided to forward the FastCGI calls to the go program. 3. curl -i -o - http://localhost:8000 4. Observe the output. In an affected golang build the output will say: Content-Type: text/html (...) while in the fixed version it should recognize the content type correctly as: Content-Type: image/png [Where problems could occur] * It may affect deployments where go apps are used as CGI scripts - if the setup was incorrectly relying on hard-coded content type it may require fixing it. [Other Info] - * It has been specifically backported upstream in release 1.14 series: + * It has been specifically backported upstream in release 1.14 series (Starting w/ 1.14.8) as follows: https://go.googlesource.com/go/+/8fcee8abbea1bb959c63a6944f9ddf490a97f802 $ git tag --contains 8fcee8abbe go1.14.10 go1.14.11 go1.14.12 go1.14.13 go1.14.14 go1.14.15 go1.14.8 go1.14.9 - * The fix is present in golang-1.15 for hirsute and groovy. -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1914372 Title: Ubuntu packages affected by CVE-2020-24553 Status in golang-1.14 package in Ubuntu: In Progress Status in golang-1.15 package in Ubuntu: Fix Released Status in golang-1.10 source package in Xenial: In Progress Status in golang-1.10 source package in Bionic: In Progress Status in golang-1.14 source package in Focal: In Progress Status in golang-1.14 source package in Groovy: In Progress Status in golang-1.14 source package in Hirsute: In Progress Bug description: [Impact] Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content- Type header. [Test Case] Described as POC at https://www.redteam-pentesting.de/en/advisories /rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi- transport-may-lead-to-cross-site-scripting: 1. Use the snippet of CGI go code provided and run it: go run poc.go 2. Run nginx with the config provided to forward the FastCGI calls to the go program. 3. curl -i -o - http://localhost:8000 4. Observe the output. In an affected golang build the output will say: Content-Type: text/html (...) while in the fixed version it should recognize the content type correctly as: Content-Type: image/png [Where problems could occur] * It may affect deployments where go apps are used as CGI scripts - if the setup was incorrectly relying on hard-coded content type it may require fixing it. [Other Info] * It has been specifically backported upstream in release 1.14 series (Starting w/ 1.14.8) as follows: https://go.googlesource.com/go/+/8fcee8abbea1bb959c63a6944f9ddf490a97f802 $ git tag --contains 8fcee8abbe go1.14.10 go1.14.11 go1.14.12 go1.14.13 go1.14.14 go1.14.15 go1.14.8 go1.14.9 * The fix is present in golang-1.15 for hirsute and groovy. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp