Mageia 7: 2020-0325 Moderate: Golang Data Race and Input Issues
mageia
August 18, 2020
Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash
Summary
Servers where the Handler concurrently reads the request body and writes a
response can encounter a data race and crash. The httputil.ReverseProxy Handler
is affected (CVE-2020-15586).
Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions
to read an unlimited number of bytes from the ByteReader argument before
returning an error. This could lead to processing more input than expected when
the caller is reading directly from the network and depends on ReadUvarint and
ReadVarint only consuming a small, bounded number of bytes, even from invalid
inputs (CVE-2020-16845).
The golang package has been updated to version 1.13.15, fixing these issues
and containing several other bug fixes and enhancements. See the 1.13 release
notes and other references for details.
References
- https://bugs.mageia.org/show_bug.cgi?id=27039
- https://go.dev/doc/go1.13
- https://go.dev/doc/devel/release
- https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ
- https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/golang-announce/NyPIaucMgXo
- - https://www.cve.org/CVERecord?id=CVE-2020-15586
- https://www.cve.org/CVERecord?id=CVE-2020-16845
Topics Covered
Resolution
SRPMS
- 7/core/golang-1.13.15-1.mga7
PREVIOUS
NEXT
Publication date: 18 Aug 2020
URL: https://advisories.mageia.org/MGASA-2020-0325.html
Type: security
CVE: CVE-2020-15586,
CVE-2020-16845
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!