*** This bug is a security vulnerability *** Public security bug reported:
[Impact] Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. [Test Case] Described as POC at https://www.redteam-pentesting.de/en/advisories/rt- sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may- lead-to-cross-site-scripting: 1. Use the snippet of CGI go code provided and run it: go run poc.go 2. Run nginx with the config provided to forward the FastCGI calls to the go program. 3. curl -i -o - http://localhost:8000 4. Observe the output. In a affected go build the output will say: Content-Type: text/html (...) while in the fixed version it should recognize the content type correctly as: Content-Type: image/png [Where problems could occur] * It may affect deployments where go apps are used as CGI scripts - if the setup was incorrectly relying on hard-coded content type it may require fixing it. [Other Info] * The fix is present in golang-1.15 for hirsute and groovy. ** Affects: golang-1.10 (Ubuntu) Importance: High Status: New ** Affects: golang-1.14 (Ubuntu) Importance: High Status: New ** Affects: golang-1.10 (Ubuntu Xenial) Importance: High Status: New ** Affects: golang-1.14 (Ubuntu Xenial) Importance: Undecided Status: Invalid ** Affects: golang-1.10 (Ubuntu Bionic) Importance: High Status: New ** Affects: golang-1.14 (Ubuntu Bionic) Importance: Undecided Status: Invalid ** Affects: golang-1.14 (Ubuntu Focal) Importance: High Status: New ** Affects: golang-1.14 (Ubuntu Groovy) Importance: High Status: New ** Affects: golang-1.14 (Ubuntu Hirsute) Importance: High Status: New ** Tags: sts ** Also affects: golang-1.14 (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: golang-1.14 (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: golang-1.14 (Ubuntu Hirsute) Importance: High Status: New ** Also affects: golang-1.10 (Ubuntu) Importance: Undecided Status: New ** No longer affects: golang-1.10 (Ubuntu Hirsute) ** No longer affects: golang-1.10 (Ubuntu Groovy) ** No longer affects: golang-1.10 (Ubuntu Focal) ** Also affects: golang-1.10 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: golang-1.14 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: golang-1.10 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: golang-1.14 (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: golang-1.14 (Ubuntu Xenial) Status: New => Invalid ** Changed in: golang-1.14 (Ubuntu Bionic) Status: New => Invalid ** Changed in: golang-1.10 (Ubuntu) Importance: Undecided => High ** Changed in: golang-1.10 (Ubuntu Xenial) Importance: Undecided => High ** Changed in: golang-1.10 (Ubuntu Bionic) Importance: Undecided => High ** Changed in: golang-1.14 (Ubuntu Focal) Importance: Undecided => High ** Changed in: golang-1.14 (Ubuntu Groovy) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1914372 Title: Ubuntu packages affected by CVE-2020-24553 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
