Vulnerabilities > CVE-2019-16276 - HTTP Request Smuggling vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- HTTP Request Splitting HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
- HTTP Request Smuggling HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.
Nessus
NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2019-1335.NASL description It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.(CVE-2019-16276) last seen 2020-06-01 modified 2020-06-02 plugin id 130231 published 2019-10-25 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130231 title Amazon Linux 2 : golang (ALAS-2019-1335) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux 2 Security Advisory ALAS-2019-1335. # include("compat.inc"); if (description) { script_id(130231); script_version("1.4"); script_cvs_date("Date: 2020/01/09"); script_cve_id("CVE-2019-16276"); script_xref(name:"ALAS", value:"2019-1335"); script_xref(name:"IAVB", value:"2019-B-0085"); script_name(english:"Amazon Linux 2 : golang (ALAS-2019-1335)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux 2 host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.(CVE-2019-16276)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2019-1335.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update golang' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-src"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-tests"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/25"); script_set_attribute(attribute:"stig_severity", value:"II"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "2") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"golang-1.9.4-3.amzn2.0.3")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"golang-bin-1.9.4-3.amzn2.0.3")) flag++; if (rpm_check(release:"AL2", reference:"golang-docs-1.9.4-3.amzn2.0.3")) flag++; if (rpm_check(release:"AL2", reference:"golang-misc-1.9.4-3.amzn2.0.3")) flag++; if (rpm_check(release:"AL2", reference:"golang-src-1.9.4-3.amzn2.0.3")) flag++; if (rpm_check(release:"AL2", reference:"golang-tests-1.9.4-3.amzn2.0.3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang / golang-bin / golang-docs / golang-misc / golang-src / etc"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4534.NASL description It was discovered that the Go programming language did accept and normalize invalid HTTP/1.1 headers with a space before the colon, which could lead to filter bypasses or request smuggling in some setups. last seen 2020-06-01 modified 2020-06-02 plugin id 129412 published 2019-09-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129412 title Debian DSA-4534-1 : golang-1.11 - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4534. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(129412); script_version("1.5"); script_cvs_date("Date: 2020/01/09"); script_cve_id("CVE-2019-16276"); script_xref(name:"DSA", value:"4534"); script_xref(name:"IAVB", value:"2019-B-0085"); script_name(english:"Debian DSA-4534-1 : golang-1.11 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that the Go programming language did accept and normalize invalid HTTP/1.1 headers with a space before the colon, which could lead to filter bypasses or request smuggling in some setups." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/golang-1.11" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/golang-1.11" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4534" ); script_set_attribute( attribute:"solution", value: "Upgrade the golang-1.11 packages. For the stable distribution (buster), this problem has been fixed in version 1.11.6-1+deb10u2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-1.11"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"stig_severity", value:"II"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"golang-1.11", reference:"1.11.6-1+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"golang-1.11-doc", reference:"1.11.6-1+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"golang-1.11-go", reference:"1.11.6-1+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"golang-1.11-src", reference:"1.11.6-1+deb10u2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2521.NASL description This update for go1.12 fixes the following issues : Security issues fixed : - CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). - CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed : - Go was updated to version 1.12.12 (bsc#1141689). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 131116 published 2019-11-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131116 title openSUSE Security Update : go1.12 (openSUSE-2019-2521) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-2521. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(131116); script_version("1.3"); script_cvs_date("Date: 2020/01/09"); script_cve_id("CVE-2019-16276", "CVE-2019-17596"); script_xref(name:"IAVB", value:"2019-B-0085"); script_name(english:"openSUSE Security Update : go1.12 (openSUSE-2019-2521)"); script_summary(english:"Check for the openSUSE-2019-2521 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for go1.12 fixes the following issues : Security issues fixed : - CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). - CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed : - Go was updated to version 1.12.12 (bsc#1141689). This update was imported from the SUSE:SLE-15:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1141689" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1152082" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1154402" ); script_set_attribute( attribute:"solution", value:"Update the affected go1.12 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:go1.12"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:go1.12-race"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/18"); script_set_attribute(attribute:"stig_severity", value:"II"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"go1.12-1.12.12-lp150.11.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"go1.12-race-1.12.12-lp150.11.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "go1.12 / go1.12-race"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0329.NASL description An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix(es) : * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling (CVE-2019-16276) * golang: invalid public key causes panic in dsa.Verify (CVE-2019-17596) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-05-21 modified 2020-02-05 plugin id 133478 published 2020-02-05 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133478 title RHEL 8 : go-toolset:rhel8 (RHSA-2020:0329) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0329. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133478); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/20"); script_cve_id("CVE-2019-16276", "CVE-2019-17596"); script_xref(name:"RHSA", value:"2020:0329"); script_name(english:"RHEL 8 : go-toolset:rhel8 (RHSA-2020:0329)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix(es) : * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling (CVE-2019-16276) * golang: invalid public key causes panic in dsa.Verify (CVE-2019-17596) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0329" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16276" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17596" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11043"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:go-toolset"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-race"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-src"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-tests"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 8.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); module_ver = get_kb_item('Host/RedHat/appstream/go-toolset'); if (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module go-toolset:rhel8'); if ('rhel8' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module go-toolset:' + module_ver); appstreams = { 'go-toolset:rhel8': [ {'reference':'go-toolset-1.12.12-2.module+el8.1.0+5317+8a49ffbb', 'cpu':'aarch64', 'release':'8'}, {'reference':'go-toolset-1.12.12-2.module+el8.1.0+5317+8a49ffbb', 'cpu':'s390x', 'release':'8'}, {'reference':'go-toolset-1.12.12-2.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'}, {'reference':'golang-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'aarch64', 'release':'8'}, {'reference':'golang-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'s390x', 'release':'8'}, {'reference':'golang-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'}, {'reference':'golang-bin-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'aarch64', 'release':'8'}, {'reference':'golang-bin-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'s390x', 'release':'8'}, {'reference':'golang-bin-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'}, {'reference':'golang-docs-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'}, {'reference':'golang-misc-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'}, {'reference':'golang-race-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'}, {'reference':'golang-src-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'}, {'reference':'golang-tests-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'} ], }; flag = 0; appstreams_found = 0; foreach module (keys(appstreams)) { appstream = NULL; appstream_name = NULL; appstream_version = NULL; appstream_split = split(module, sep:':', keep:FALSE); if (!empty_or_null(appstream_split)) { appstream_name = appstream_split[0]; appstream_version = appstream_split[1]; appstream = get_kb_item('Host/RedHat/appstream/' + appstream_name); } if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') { appstreams_found++; foreach package_array ( appstreams[module] ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (reference && release) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++; } } } } if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module go-toolset:rhel8'); if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'go-toolset / golang / golang-bin / etc'); }
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1336.NASL description It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.(CVE-2019-16276) Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.(CVE-2019-16276) last seen 2020-06-01 modified 2020-06-02 plugin id 133006 published 2020-01-17 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133006 title Amazon Linux AMI : golang (ALAS-2020-1336) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2020-1383.NASL description It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration. (CVE-2019-16276) last seen 2020-06-01 modified 2020-06-02 plugin id 133093 published 2020-01-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133093 title Amazon Linux 2 : golang (ALAS-2020-1383) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0264_GO.NASL description An update of the go package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 132981 published 2020-01-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132981 title Photon OS 1.0: Go PHSA-2020-1.0-0264 NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2522.NASL description This update for go1.12 fixes the following issues : Security issues fixed : - CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). - CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed : - Go was updated to version 1.12.12 (bsc#1141689). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 131117 published 2019-11-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131117 title openSUSE Security Update : go1.12 (openSUSE-2019-2522) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A92DCC5CE05C11E9B58910C37B4AC2EA.NASL description The Go project reports : net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn last seen 2020-06-01 modified 2020-06-02 plugin id 129426 published 2019-09-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129426 title FreeBSD : go -- invalid headers are normalized, allowing request smuggling (a92dcc5c-e05c-11e9-b589-10c37b4ac2ea) NASL family Fedora Local Security Checks NASL id FEDORA_2019-416D20F960.NASL description - Rebase to 1.12.10 - Security fix for CVE-2019-16276 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 129767 published 2019-10-10 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129767 title Fedora 30 : golang (2019-416d20f960) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2019-1321.NASL description It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration. (CVE-2019-16276) last seen 2020-06-01 modified 2020-06-02 plugin id 131241 published 2019-11-25 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131241 title Amazon Linux AMI : golang (ALAS-2019-1321) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0101.NASL description An update for go-toolset-1.12 and go-toolset-1.12-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: go-toolset-1.12-golang (1.12.12). (BZ#1759840, BZ#1785389) Security Fix(es) : * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling (CVE-2019-16276) * golang: invalid public key causes panic in dsa.Verify (CVE-2019-17596) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 132948 published 2020-01-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132948 title RHEL 7 : go-toolset-1.12-golang (RHSA-2020:0101) NASL family Fedora Local Security Checks NASL id FEDORA_2019-1B8CBD39FF.NASL description - Rebase to 1.13.1 - Security fix for CVE-2019-16276 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 129698 published 2019-10-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129698 title Fedora 31 : golang (2019-1b8cbd39ff) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2529.NASL description According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.(CVE-2019-16276) - Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.(CVE-2019-17596) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-09 plugin id 131803 published 2019-12-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131803 title EulerOS 2.0 SP5 : golang (EulerOS-SA-2019-2529) NASL family Fedora Local Security Checks NASL id FEDORA_2019-E99C1603C3.NASL description - Security fix for CVE-2019-16276 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 129858 published 2019-10-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129858 title Fedora 29 : golang (2019-e99c1603c3) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2940-1.NASL description This update for go1.12 fixes the following issues : Security issues fixed : CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed: Go was updated to version 1.12.12 (bsc#1141689). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 130900 published 2019-11-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130900 title SUSE SLED15 / SLES15 Security Update : go1.12 (SUSE-SU-2019:2940-1)
Redhat
advisories |
| ||||||||||||
rpms |
|
Related news
References
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html
- https://access.redhat.com/errata/RHSA-2020:0101
- https://access.redhat.com/errata/RHSA-2020:0101
- https://access.redhat.com/errata/RHSA-2020:0329
- https://access.redhat.com/errata/RHSA-2020:0329
- https://access.redhat.com/errata/RHSA-2020:0652
- https://access.redhat.com/errata/RHSA-2020:0652
- https://github.com/golang/go/issues/34540
- https://github.com/golang/go/issues/34540
- https://groups.google.com/forum/#%21msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
- https://groups.google.com/forum/#%21msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LULL72EUUKIY4NWDZVJVN2LIB4MXHS5P/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LULL72EUUKIY4NWDZVJVN2LIB4MXHS5P/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7GMJ3VXF5RXK2C7CL66KJ6XOOTOL5BJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7GMJ3VXF5RXK2C7CL66KJ6XOOTOL5BJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q5MD2F7ATWSTB45ZJIPJHBAAHVRGRAKG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q5MD2F7ATWSTB45ZJIPJHBAAHVRGRAKG/
- https://security.netapp.com/advisory/ntap-20191122-0004/
- https://security.netapp.com/advisory/ntap-20191122-0004/