openSUSE-SU-2020:1087

openSUSE-SU-2020:1095

openSUSE-SU-2020:1405

openSUSE-SU-2020:1407

https://groups.google.com/forum/#!topic/golang-announce/f2c5bqrGH_g

https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w

[debian-lts-announce] 20201121 [SECURITY] [DLA 2459-1] golang-1.7 security update

[debian-lts-announce] 20201121 [SECURITY] [DLA 2460-1] golang-1.8 security update

FEDORA-2020-d75360e2b0

FEDORA-2020-9cd1204ba0

https://security.netapp.com/advisory/ntap-20200731-0005/

https://www.cloudfoundry.org/blog/cve-2020-15586/

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5119 advisory.

  - golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)

  - golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs     (CVE-2020-16845)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Two issues have been found in golang-1.7, a Go programming language compiler version 1.7

CVE-2020-15586 Using the 100-continue in HTTP headers received by a net/http/Server can lead to a data race involving the connection's buffered writer.

CVE-2020-16845 Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error.

For Debian 9 stretch, these problems have been fixed in version 1.7.4-2+deb9u2.

We recommend that you upgrade your golang-1.7 packages.

For the detailed security status of golang-1.7 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/golang-1.7

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Three issues have been found in golang-1.8, a Go programming language compiler version 1.8

CVE-2020-15586 Using the 100-continue in HTTP headers received by a net/http/Server can lead to a data race involving the connection's buffered writer.

CVE-2020-16845 Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error.

CVE-2020-28367 When using cgo, arbitrary code might be executed at build time.

For Debian 9 stretch, these problems have been fixed in version 1.8.1-1+deb9u2.

We recommend that you upgrade your golang-1.8 packages.

For the detailed security status of golang-1.8 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/golang-1.8

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Go before 1.13.15 and 14.x before 1.14.7 can have an     infinite read loop in ReadUvarint and ReadVarint in     encoding/binary via invalid inputs.(CVE-2020-16845)

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data     race in some net/http servers, as demonstrated by the     httputil.ReverseProxy Handler, because it reads a     request body and writes a response at the same     time.(CVE-2020-15586)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4214 advisory.

  - golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash     (CVE-2020-14040)

  - golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)

  - golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs     (CVE-2020-16845)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data     race in some net/http servers, as demonstrated by the     httputil.ReverseProxy Handler, because it reads a     request body and writes a response at the same     time.(CVE-2020-15586)

  - Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10     pre-releases before Go 1.10rc2 allow 'go get' remote     command execution during source code build, by     leveraging the gcc or clang plugin feature, because
    -fplugin= and -plugin= arguments were not     blocked.(CVE-2018-6574)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for go1.14 fixes the following issues :

  - go1.14 was updated to version 1.14.7 

  - CVE-2020-16845: dUvarint and ReadVarint can read an     unlimited number of bytes from invalid inputs     (bsc#1174977).&#9; 

  - go1.14.6 (released 2020-07-16) includes fixes to the go     command, the compiler, the linker, vet, and the     database/sql, encoding/json, net/http, reflect, and     testing packages. Refs bsc#1164903 go1.14 release     tracking Refs bsc#1174153 bsc#1174191

  - go#39991 runtime: missing deferreturn on linux/ppc64le

  - go#39920 net/http: panic on misformed If-None-Match     Header with http.ServeContent

  - go#39849 cmd/compile: internal compile error when using     sync.Pool: mismatched zero/store sizes

  - go#39824 cmd/go: TestBuildIDContainsArchModeEnv/386     fails on linux/386 in Go 1.14 and 1.13, not 1.15

  - go#39698 reflect: panic from malloc after MakeFunc     function returns value that is also stored globally

  - go#39636 reflect: DeepEqual can return true for values     that are not equal

  - go#39585 encoding/json: incorrect object key     unmarshaling when using custom TextUnmarshaler as Key     with string va lues

  - go#39562 cmd/compile/internal/ssa:
    TestNexting/dlv-dbg-hist failing on linux-386-longtest     builder because it trie s to use an older version of dlv     which only supports linux/amd64

  - go#39308 testing: streaming output loses parallel     subtest associations

  - go#39288 cmd/vet: update for new number formats

  - go#39101 database/sql: context cancellation allows     statements to execute after rollback

  - go#38030 doc: BuildNameToCertificate deprecated in go     1.14 not mentioned in the release notes

  - go#40212 net/http: Expect 100-continue panics in     httputil.ReverseProxy bsc#1174153 CVE-2020-15586

  - go#40210 crypto/x509: Certificate.Verify method     seemingly ignoring EKU requirements on Windows     bsc#1174191 CVE-2020-14039 (Windows only)

  - Add patch to ensure /etc/hosts is used if     /etc/nsswitch.conf is not present bsc#1172868     gh#golang/go#35305

This update was imported from the SUSE:SLE-15:Update update project.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-3665 advisory.

  - The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the     UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker     could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an     infinite loop if the String function on the Decoder is called, or the Decoder is passed to     golang.org/x/text/transform.String. (CVE-2020-14040)

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by     the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
    (CVE-2020-15586)

  - Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in     encoding/binary via invalid inputs. (CVE-2020-16845)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3665 advisory.

  - golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash     (CVE-2020-14040)

  - golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)

  - golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs     (CVE-2020-16845)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for go1.14 fixes the following issues :

go1.14 was updated to version 1.14.7

CVE-2020-16845: dUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (bsc#1174977).

go1.14.6 (released 2020-07-16) includes fixes to the go command, the compiler, the linker, vet, and the database/sql, encoding/json, net/http, reflect, and testing packages. Refs bsc#1164903 go1.14 release tracking Refs bsc#1174153 bsc#1174191

  - go#39991 runtime: missing deferreturn on linux/ppc64le

  - go#39920 net/http: panic on misformed If-None-Match     Header with http.ServeContent

  - go#39849 cmd/compile: internal compile error when using     sync.Pool: mismatched zero/store sizes

  - go#39824 cmd/go: TestBuildIDContainsArchModeEnv/386     fails on linux/386 in Go 1.14 and 1.13, not 1.15

  - go#39698 reflect: panic from malloc after MakeFunc     function returns value that is also stored globally

  - go#39636 reflect: DeepEqual can return true for values     that are not equal

  - go#39585 encoding/json: incorrect object key     unmarshaling when using custom TextUnmarshaler as Key     with string va lues

  - go#39562 cmd/compile/internal/ssa:
    TestNexting/dlv-dbg-hist failing on linux-386-longtest     builder because it trie s to use an older version of dlv     which only supports linux/amd64

  - go#39308 testing: streaming output loses parallel     subtest associations

  - go#39288 cmd/vet: update for new number formats

  - go#39101 database/sql: context cancellation allows     statements to execute after rollback

  - go#38030 doc: BuildNameToCertificate deprecated in go     1.14 not mentioned in the release notes

  - go#40212 net/http: Expect 100-continue panics in     httputil.ReverseProxy bsc#1174153 CVE-2020-15586

  - go#40210 crypto/x509: Certificate.Verify method     seemingly ignoring EKU requirements on Windows     bsc#1174191 CVE-2020-14039 (Windows only)

Add patch to ensure /etc/hosts is used if /etc/nsswitch.conf is not present bsc#1172868 gh#golang/go#35305

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the ALAS-2020-1417 advisory.

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by     the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
    (CVE-2020-15586)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2020-1479 advisory.

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by     the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
    (CVE-2020-15586)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data     race in some net/http servers, as demonstrated by the     httputil.ReverseProxy Handler, because it reads a     request body and writes a response at the same     time.(CVE-2020-15586)

  - Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP     Request Smuggling.(CVE-2019-16276)

  - Go before 1.12.11 and 1.3.x before 1.13.2 can panic     upon an attempt to process network traffic containing     an invalid DSA public key. There are several attack     scenarios, such as traffic from a client to a server     that verifies client certificates.(CVE-2019-17596)

  - Go before 1.12.16 and 1.13.x before 1.13.7 (and the     crypto/cryptobyte package before     0.0.0-20200124225646-8b5121be2f68 for Go) allows     attacks on clients (resulting in a panic) via a     malformed X.509 certificate.(CVE-2020-7919)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Rebase to go1.13.14

  - Security fix for CVE-2020-15586

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Rebase to go1.14.6

  - Security fix for CVE-2020-15586

----

Rebase to go 1.14.4

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for go1.13 fixes the following issues :

  - go1.13.14 (released 2020/07/16) includes fixes to the     compiler, vet, and the database/sql, net/http, and     reflect packages Refs bsc#1149259 go1.13 release     tracking

  - go#39925 net/http: panic on misformed If-None-Match     Header with http.ServeContent

  - go#39848 cmd/compile: internal compile error when using     sync.Pool: mismatched zero/store sizes

  - go#39823 cmd/go: TestBuildIDContainsArchModeEnv/386     fails on linux/386 in Go 1.14 and 1.13, not 1.15

  - go#39697 reflect: panic from malloc after MakeFunc     function returns value that is also stored globally

  - go#39561 cmd/compile/internal/ssa:
    TestNexting/dlv-dbg-hist failing on linux-386-longtest     builder because it tries to use an older version of dlv     which only supports linux/amd64

  - go#39538 net: TestDialParallel is flaky on     windows-amd64-longtest

  - go#39287 cmd/vet: update for new number formats

  - go#40211 net/http: Expect 100-continue panics in     httputil.ReverseProxy bsc#1174153 CVE-2020-15586

  - go#40209 crypto/x509: Certificate.Verify method     seemingly ignoring EKU requirements on Windows     bsc#1174191 CVE-2020-14039 (Windows only)

  - go#38932 runtime: preemption in startTemplateThread may     cause infinite hang

  - go#36689 go/types, math/big: data race in go/types due     to math/big.Rat accessors unsafe for concurrent use

  - Add patch to ensure /etc/hosts is used if     /etc/nsswitch.conf is not present bsc#1172868     gh#golang/go#35305

This update was imported from the SUSE:SLE-15:Update update project.

ID	Name	Product	Family	Severity
143240	RHEL 7 / 8 : OpenShift Container Platform 4.5.20 packages and golang (RHSA-2020:5119)	Nessus	Red Hat Local Security Checks	medium
143170	Debian DLA-2459-1 : golang-1.7 security update	Nessus	Debian Local Security Checks	medium
143169	Debian DLA-2460-1 : golang-1.8 security update	Nessus	Debian Local Security Checks	high
142062	EulerOS 2.0 SP5 : golang (EulerOS-SA-2020-2247)	Nessus	Huawei Local Security Checks	medium
141307	RHEL 7 : go-toolset-1.13-golang (RHSA-2020:4214)	Nessus	Red Hat Local Security Checks	medium
140845	EulerOS 2.0 SP3 : golang (EulerOS-SA-2020-2078)	Nessus	Huawei Local Security Checks	medium
140570	openSUSE Security Update : go1.14 (openSUSE-2020-1407)	Nessus	SuSE Local Security Checks	medium
140569	openSUSE Security Update : go1.14 (openSUSE-2020-1405)	Nessus	SuSE Local Security Checks	medium
140524	Oracle Linux 8 : go-toolset:ol8 (ELSA-2020-3665)	Nessus	Oracle Linux Local Security Checks	medium
140391	RHEL 8 : go-toolset:rhel8 (RHSA-2020:3665)	Nessus	Red Hat Local Security Checks	medium
140387	SUSE SLED15 / SLES15 Security Update : go1.14 (SUSE-SU-2020:2562-1)	Nessus	SuSE Local Security Checks	medium
140092	Amazon Linux AMI : golang (ALAS-2020-1417)	Nessus	Amazon Linux Local Security Checks	medium
139857	Amazon Linux 2 : golang (ALAS-2020-1479)	Nessus	Amazon Linux Local Security Checks	medium
139134	EulerOS 2.0 SP8 : golang (EulerOS-SA-2020-1804)	Nessus	Huawei Local Security Checks	medium
139107	Fedora 31 : golang (2020-d75360e2b0)	Nessus	Fedora Local Security Checks	medium
139105	Fedora 32 : golang (2020-9cd1204ba0)	Nessus	Fedora Local Security Checks	medium
139020	openSUSE Security Update : go1.13 (openSUSE-2020-1095)	Nessus	SuSE Local Security Checks	medium
139015	openSUSE Security Update : go1.13 (openSUSE-2020-1087)	Nessus	SuSE Local Security Checks	medium

CVE-2020-15586

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins