MGASA-2020-0325
Vulnerability Summary
Timeline
Description
Updated golang packages fix security vulnerability Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected (CVE-2020-15586). Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from the network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs (CVE-2020-16845). The golang package has been updated to version 1.13.15, fixing these issues and containing several other bug fixes and enhancements. See the 1.13 release notes and other references for details.
Affected Systems
- mageia•golang
< 1.13.15-1.mga7
References (7)
- https://advisories.mageia.org/MGASA-2020-0325.html
- https://bugs.mageia.org/show_bug.cgi?id=27039
- https://golang.org/doc/go1.13
- https://golang.org/doc/devel/release.html#go1.13.minor
- https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ
- https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/golang-announce/NyPIaucMgXo
- https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html