SB2016080210 - Red Hat Enterprise Linux 7 update for golang

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016080210

SB2016080210 - Red Hat Enterprise Linux 7 update for golang

Published: August 2, 2016 Updated: April 24, 2025

Security Bulletin ID SB2016080210
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 40% Medium 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2015-5739)

The vulnerability allows a remote attacker to conduct an HTTP request smuggling attack on the target system.

The vulnerability exists due to the "net/http" library in "net/textproto/reader.go" does not properly parse HTTP header keys. A remote attacker can send a specially crafted HTTP request and conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length."



2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2015-5740)

The vulnerability allows a remote attacker to conduct an HTTP request smuggling attack on the target system.

The vulnerability exists due to the "net/http" library in "net/http/transfer.go" does not properly parse HTTP headers. A remote attacker can send a specially crafted HTTP request and conduct HTTP request smuggling attacks via a request with two Content-length headers.

3) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2015-5741)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.


4) Input validation error (CVE-ID: CVE-2016-3959)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.


5) Improper access control (CVE-ID: CVE-2016-5386)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.


Remediation

Install update from vendor's website.

References