Debian Bug report logs -
#985025
golang-github-pires-go-proxyproto: CVE-2021-23351
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>:
Bug#985025; Package src:golang-github-pires-go-proxyproto.
(Thu, 11 Mar 2021 21:03:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>.
(Thu, 11 Mar 2021 21:03:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: golang-github-pires-go-proxyproto
Version: 0.4.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/pires/go-proxyproto/issues/69
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for golang-github-pires-go-proxyproto.
CVE-2021-23351[0]:
| The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable
| to Denial of Service (DoS) via the parseVersion1() function. The
| reader in this package is a default bufio.Reader wrapping a net.Conn.
| It will read from the connection until it finds a newline. Since no
| limits are implemented in the code, a deliberately malformed V1 header
| could be used to exhaust memory in a server process using this code -
| and create a DoS. This can be exploited by sending a stream starting
| with PROXY and continuing to send data (which does not contain a
| newline) until the target stops acknowledging. The risk here is small,
| because only trusted sources should be allowed to send proxy protocol
| headers.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23351
[1] https://github.com/pires/go-proxyproto/issues/69
[2] https://github.com/pires/go-proxyproto/commit/7f48261db810703d173f27f3309a808cc2b49b8b
[3] https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPIRESGOPROXYPROTO-1081577
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Mar 12 09:36:45 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon