This bug was fixed in the package golang-1.14 - 1.14.7-2ubuntu2
---
golang-1.14 (1.14.7-2ubuntu2) hirsute; urgency=medium
* SECURITY UPDATE: XSS (LP: #1914372)
- debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
net/http/cgi and net/http/fcgi.
-
** Changed in: golang-1.14 (Ubuntu Hirsute)
Importance: High => Low
** Changed in: golang-1.15 (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372
This bug was fixed in the package golang-1.14 - 1.14.7-2ubuntu1.1
---
golang-1.14 (1.14.7-2ubuntu1.1) groovy-security; urgency=medium
* SECURITY UPDATE: XSS (LP: #1914372)
- debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
net/http/cgi and net/http/fcgi.
This bug was fixed in the package golang-1.14 - 1.14.3-2ubuntu2~20.04.2
---
golang-1.14 (1.14.3-2ubuntu2~20.04.2) focal-security; urgency=medium
* SECURITY UPDATE: XSS (LP: #1914372)
- debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
net/http/cgi and
This bug was fixed in the package golang-1.10 - 1.10.4-2ubuntu1~16.04.2
---
golang-1.10 (1.10.4-2ubuntu1~16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: XSS (LP: #1914372)
- debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
net/http/cgi and
This bug was fixed in the package golang-1.10 - 1.10.4-2ubuntu1~18.04.2
---
golang-1.10 (1.10.4-2ubuntu1~18.04.2) bionic-security; urgency=medium
* SECURITY UPDATE: XSS (LP: #1914372)
- debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
net/http/cgi and
Thank you so much Dariusz! All the smoke tests look good as well so it's
ready to push out Monday.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372
Title:
Ubuntu packages affected by
I have just repeated the testing procedure for golang-1.14 on Focal, Groovy and
Hirsute.
The test results look correct and consistent with what is expected according to
the test case.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Thank you Avital.
I have just tested golang-1.10 for Xenial and Bionic and the behavior is
exactly as expected for a fixed version.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372
Title:
The patched update is now uploaded to the security proposed PPA here:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ (Hirsute
is still building ATM)
If anyone has the time to help test any of the packages before they're uploaded
to the archive, it would be appreciated :)
Bionic patch with corrected versioning (and matryoshka_test.go fixed)
** Patch added: "bionic_golang-1.10.debdiff"
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+attachment/5464431/+files/bionic_golang-1.10.debdiff
--
You received this bug notification because you are a
Xenial patch (with matryoshka_test.go fixed).
** Patch added: "xenial_golang-1.10.debdiff"
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+attachment/5464430/+files/xenial_golang-1.10.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Thanks for looking at it. I've checked matryoshka_test.go and looks like
it was expecting the old default Content-Type: text/html, while after
applying the patch the new default is text/plain.
I've updated the debdiffs and will upload them shortly (for x and b).
** Patch removed:
Thank you for the debdiffs, all the golang-1.14 diffs built without
issue. Both the patched golang-1.10 builds failed due to
matryoshka_test.go, which is no longer present in golang-1.14:
2021/02/10 01:34:37 cgi: copy error: write tcp
127.0.0.1:39673->127.0.0.1:41144: write: broken pipe
---
** Description changed:
[Impact]
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
is the default for CGI/FCGI handlers that lack a Content-Type header.
[Test Case]
Described as POC at https://www.redteam-pentesting.de/en/advisories/rt-
** No longer affects: golang-1.14 (Ubuntu Xenial)
** No longer affects: golang-1.14 (Ubuntu Bionic)
** No longer affects: golang-1.10 (Ubuntu)
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24553
--
You received this bug notification because you are a member of Ubuntu
Bugs,
** Description changed:
[Impact]
- Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
+ Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
is the default for CGI/FCGI handlers that lack a Content-Type header.
[Test Case]
- Described as POC
Patch proposal for golang-1.10 on Xenial.
** Patch added: "xenial_golang-1.10.debdiff"
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+attachment/5459328/+files/xenial_golang-1.10.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Patch proposal for golang-1.10 on Bionic.
** Patch added: "bionic_golang-1.10.debdiff"
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+attachment/5459326/+files/bionic_golang-1.10.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Patch proposal for golang-1.14 on Focal.
** Patch added: "focal_golang-1.14.debdiff"
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+attachment/5459325/+files/focal_golang-1.14.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
Patch proposal for golang-1.14 on Groovy.
** Patch added: "groovy_golang-1.14.debdiff"
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+attachment/5459324/+files/groovy_golang-1.14.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Patch proposal for golang-1.14 on Groovy.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372
Title:
Ubuntu packages affected by CVE-2020-24553
To manage notifications about this bug go to:
Patch proposal for golang-1.14 for Hirsute
** Patch added: "hirsute_golang-1.14.debdiff"
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+attachment/5459322/+files/hirsute_golang-1.14.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs,
23 matches
Mail list logo