Scientific Linux Security Update : golang on SL7.x x86_64 (httpoxy)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

The following packages have been upgraded to a newer upstream version:
golang (1.6.3).

Security Fix(es) :

- An input-validation flaw was discovered in the Go
programming language built in CGI implementation, which
set the environment variable 'HTTP_PROXY' using the
incoming 'Proxy' HTTP-request header. The environment
variable 'HTTP_PROXY' is used by numerous web clients,
including Go's net/http package, to specify a proxy
server to use for HTTP and, in some cases, HTTPS
requests. This meant that when a CGI-based web
application ran, an attacker could specify a proxy
server which the application then used for subsequent
outgoing requests, allowing a man-in- the-middle attack.
(CVE-2016-5386)

See also :

http://www.nessus.org/u?8344bac0

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 92722 ()

Bugtraq ID:

CVE ID: CVE-2016-5386

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now