[v3.2] go: multiple issues (CVE-2015-5739, CVE-2015-5740, CVE-2015-5741)
There have been found potentially exploitable flaws in Golang net/http library affecting versions 1.4.2 and 1.5.
Problems:
- Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored.
- Invalid headers are parsed as valid headers (like “Content Length:” with a space in the middle)
Exploitations:
In a situation where the net/http agent HTTP communication with the
final
http clients is using some reverse proxy (reverse proxy cache, SSL
terminators, etc), some requests can be made exploiting the net/http
HTTP
protocol violations.
Attacker could possibly:
- bypass security controls on theses previous elements
- perform some cache poisoning on these elements
- alter the request/response map on these previous elements (for DOS)
Reference:
(from redmine: issue id 4536, created on 2015-08-14, closed on 2015-09-22)
- Relations:
- parent #4532