Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Mageia 8: 2022-0262 Moderate: Request Smuggling and Stack Issues

mageia
Calendar Grey July 16, 2022
Dist Mageia Esm H88
Revised Golang libraries for Mageia address security vulnerabilities, such as HTTP request exploits and stack overflow threats.
net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding

Summary

net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. (CVE-2022-1705)
When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. (CVE-2022-32148)
compress/gzip: stack exhaustion in Reader.Read Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. (CVE-2022-30631)
encoding/xml: stack exhaustion in Un...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=30639

- https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CUFBL2GZMN756YELNBCPJO3MTCGYXSYH/

- https://github.com/golang/go/issues/53188

- https://github.com/golang/go/issues/53423

- https://github.com/golang/go/issues/53168

- https://github.com/golang/go/issues/53611

- https://github.com/golang/go/issues/53614

- https://github.com/golang/go/issues/53416

- https://github.com/golang/go/issues/53415

- https://github.com/golang/go/issues/53616

- https://www.cve.org/CVERecord?id=CVE-2022-1705

- https://www.cve.org/CVERecord?id=CVE-2022-32148

- https://www.cve.org/CVERecord?id=CVE-2022-30631

- https://www.cve.org/CVERecord?id=CVE-2022-30633

- https://www.cve.org/CVERecord?id=CVE-2022-28131

- https://www.cve.org/CVERecord?id=CVE-2022-30635

- https://www.cve.org/CVERecord?id=CVE-2022-30632

- https://www.cve.org/CVERecord?id=CVE-2022-30630

- https://www.cve.org/CVERecord?id=CVE-2022-1962

Topics%20covered

Topics Covered

security advisory software update request smuggling HTTP security stack exhaustion golang Mageia

Resolution

SRPMS

- 8/core/golang-1.17.12-1.mga8

Publication date: 16 Jul 2022
URL: https://advisories.mageia.org/MGASA-2022-0262.html
Type: security
CVE: CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, CVE-2022-1962

Topics%20covered

Topics Covered

security advisory software update request smuggling HTTP security stack exhaustion golang Mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here