Source: golang-1.13 Version: 1.13~beta1-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/golang/go/issues/29098
Hi, The following vulnerability was published for golang-1.13. The CVE-2019-14809 seems unpatched yet as well in golang-1.13 1.13~beta1-2. CVE-2019-14809[0]: | net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles | malformed hosts in URLs, leading to an authorization bypass in some | applications. This is related to a Host field with a suffix appearing | in neither Hostname() nor Port(), and is related to a non-numeric port | number. For example, an attacker can compose a crafted javascript:// | URL that results in a hostname of google.com. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14809 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809 [1] https://github.com/golang/go/issues/29098 [2] https://github.com/golang/go/commit/61bb56ad63992a3199acc55b2537c8355ef887b6 Regards, Salvatore