Hello, on Monday there was point release and new rc release for golang fixing CVE-2016-5386(https://httpoxy.org/) affecting CGI use cases. I have briefly checked all packages depending on golang in Fedora and I have observed no such a use. If you have any package(s) that uses(is used with) CGI and I have missed it please let me know(you should rebuild your package).
Fix has been submitted to all active Fedora branches and is present in the buildroot override, please test and provide karma, thanks :). https://bodhi.fedoraproject.org/updates/FEDORA-2016-ea5e284d34 https://bodhi.fedoraproject.org/updates/FEDORA-2016-340e361b90 Original upstream announcement follows, JC ----- Forwarded Message ----- > From: "Chris Broadfoot" <c...@golang.org> > To: "golang-announce" <golang-annou...@googlegroups.com> > Sent: Monday, July 18, 2016 6:59:41 PM > Subject: [security] Go 1.6.3 and 1.7rc2 are released > > A security-related issue was recently reported in Go's net/http/cgi package > and net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 > will contain a fix for this issue. > > Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw > in the CGI components resulting in the HTTP_PROXY environment variable being > set by the incoming Proxy header. This environment variable was also used to > set the outgoing proxy, enabling an attacker to insert a proxy into outgoing > requests of a CGI program. > This is CVE-2016-5386 and was addressed by this change: > https://golang.org/cl/25010, tracked in this issue: > https://golang.org/issue/16405 > > The Go team would like to thank Dominic Scheirlinck for coordinating > disclosure of this issue across multiple languages and CGI environments. > Read more about "httpoxy" here: https://httpoxy.org/ > > Go 1.6.3 also adds support for macOS Sierra. See > https://golang.org/issue/16354 for details. > > Downloads are available at https://golang.org/dl for all supported platforms. > > Cheers, > Chris (on behalf of the Go team) > > -- > You received this message because you are subscribed to the Google Groups > "golang-announce" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-announce+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > _______________________________________________ golang mailing list golang@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/golang@lists.fedoraproject.org
