Alerts This Week
Warning Icon 1 540
Alerts This Week
Warning Icon 1 540

Scientific Linux 7 x86_64: SLSA-2016:1538-1 Moderate: Golang MItM Issue

Calendar Aug 03, 2016 User Avatar LinuxSecurity Advisories
1 - 2 min read
Scientific Large Esm H500
Topics%20covered

Topics Covered

security advisory man-in-the-middle input-validation flaw scientific linux golang patch
Moderate: golang security, bug fix, and enhancement 
Date: Wed, 3 Aug 2016 17:10:54 -0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Moderate: golang on SL7.x x86_64
MIME-Version: 1.0
Message-ID: <20160803171054.30302.46294@slpackages.fnal.gov>

Synopsis: Moderate: golang security, bug fix, and enhancement
Advisory ID: SLSA-2016:1538-1
Issue Date: 2016-08-03
CVE Numbers: CVE-2016-5386
--

The following packages have been upgraded to a newer upstream version:
golang (1.6.3).

Security Fix(es):

* An input-validation flaw was discovered in the Go programming language
built in CGI implementation, which set the environment variable
"HTTP_PROXY" using the incoming "Proxy" HTTP-request header. The
environment variable "HTTP_PROXY" is used by numerous web clients,
including Go's net/http package, to specify a proxy server to use for HTTP
and, in some cases, HTTPS requests. This meant that when a CGI-based web
application ran, an attacker could specify a proxy server which the
application then used for subsequent outgoing requests, allowing a man-in-
the-middle attack. (CVE-2016-5386)
--

SL7
 x86_64
 golang-1.6.3-1.el7_2.1.x86_64.rpm
 golang-bin-1.6.3-1.el7_2.1.x86_64.rpm
 noarch
 golang-docs-1.6.3-1.el7_2.1.noarch.rpm
 golang-misc-1.6.3-1.el7_2.1.noarch.rpm
 golang-src-1.6.3-1.el7_2.1.noarch.rpm
 golang-tests-1.6.3-1.el7_2.1.noarch.rpm

- Scientific Linux Development Team

Related News

Your message here