golang-1.11: CVE-2019-9741: CRLF injection in net/http

Debian Bug report logs - #924630
golang-1.11: CVE-2019-9741: CRLF injection in net/http

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: golang-1.11: CVE-2019-9741: CRLF injection in net/http

Date: Fri, 15 Mar 2019 08:55:48 +0100

Source: golang-1.11
Version: 1.11.5-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for golang-1.11.

CVE-2019-9741[0]:
| An issue was discovered in net/http in Go 1.11.5. CRLF injection is
| possible if the attacker controls a url parameter, as demonstrated by
| the second argument to http.NewRequest with \r\n followed by an HTTP
| header or a Redis command.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-9741
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1688230

Regards,
Salvatore

Message #8 received at 924630-submitter@bugs.debian.org (full text, mbox, reply):

From: Michael Hudson-Doyle <noreply@salsa.debian.org>

To: 924630-submitter@bugs.debian.org

Subject: Bug #924630 in golang marked as pending

Date: Sun, 17 Mar 2019 21:05:54 +0000

Control: tag -1 pending

Hello,

Bug #924630 in golang reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/compiler/golang/commit/0c508f9cd760bd475f41b8d067359da313cbd05c

------------------------------------------------------------------------
New upstream version 1.11.6, fixing CVE-2019-9741. (Closes: #924630)

* New upstream version 1.11.6, fixing CVE-2019-9741. (Closes: #924630)
* Delete d/patches/0005-fix-MIPS-SGTconst-with-shift-rules.patch, applied
  upstream.
* Refreshed other patches.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/924630

Message #13 received at 924630-submitter@bugs.debian.org (full text, mbox, reply):

From: Michael Hudson-Doyle <noreply@salsa.debian.org>

To: 924630-submitter@bugs.debian.org

Subject: Bug #924630 in golang marked as pending

Date: Sun, 17 Mar 2019 21:05:54 +0000

Control: tag -1 pending

Hello,

Bug #924630 in golang reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/compiler/golang/commit/0c508f9cd760bd475f41b8d067359da313cbd05c

------------------------------------------------------------------------
New upstream version 1.11.6, fixing CVE-2019-9741. (Closes: #924630)

* New upstream version 1.11.6, fixing CVE-2019-9741. (Closes: #924630)
* Delete d/patches/0005-fix-MIPS-SGTconst-with-shift-rules.patch, applied
  upstream.
* Refreshed other patches.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/924630

Message #16 received at 924630-submitter@bugs.debian.org (full text, mbox, reply):

From: Michael Hudson-Doyle <noreply@salsa.debian.org>

To: 924630-submitter@bugs.debian.org

Subject: Bug #924630 in golang marked as pending

Date: Sun, 17 Mar 2019 21:11:31 +0000

Control: tag -1 pending

Hello,

Bug #924630 in golang reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/compiler/golang/commit/71582deb22213b82603e44203245ada54977355f

------------------------------------------------------------------------
New upstream version 1.11.6, fixing CVE-2019-9741. (Closes: #924630)

* New upstream version 1.11.6, fixing CVE-2019-9741. (Closes: #924630)
* Delete d/patches/0005-fix-MIPS-SGTconst-with-shift-rules.patch, applied
  upstream.
* Refreshed other patches.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/924630

Message #19 received at 924630-submitter@bugs.debian.org (full text, mbox, reply):

From: Michael Hudson-Doyle <noreply@salsa.debian.org>

To: 924630-submitter@bugs.debian.org

Subject: Bug #924630 in golang marked as pending

Date: Sun, 17 Mar 2019 21:11:31 +0000

Control: tag -1 pending

Hello,

Bug #924630 in golang reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/compiler/golang/commit/71582deb22213b82603e44203245ada54977355f

------------------------------------------------------------------------
New upstream version 1.11.6, fixing CVE-2019-9741. (Closes: #924630)

* New upstream version 1.11.6, fixing CVE-2019-9741. (Closes: #924630)
* Delete d/patches/0005-fix-MIPS-SGTconst-with-shift-rules.patch, applied
  upstream.
* Refreshed other patches.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/924630

Message #24 received at 924630-close@bugs.debian.org (full text, mbox, reply):

From: Michael Hudson-Doyle <mwhudson@debian.org>

To: 924630-close@bugs.debian.org

Subject: Bug#924630: fixed in golang-1.11 1.11.6-1

Date: Sun, 17 Mar 2019 21:34:53 +0000

Source: golang-1.11
Source-Version: 1.11.6-1

We believe that the bug you reported is fixed in the latest version of
golang-1.11, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924630@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Hudson-Doyle <mwhudson@debian.org> (supplier of updated golang-1.11 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 18 Mar 2019 09:37:17 +1300
Source: golang-1.11
Binary: golang-1.11-go golang-1.11-src golang-1.11-doc golang-1.11
Architecture: source
Version: 1.11.6-1
Distribution: unstable
Urgency: medium
Maintainer: Go Compiler Team <team+go-compiler@tracker.debian.org>
Changed-By: Michael Hudson-Doyle <mwhudson@debian.org>
Description:
 golang-1.11 - Go programming language compiler - metapackage
 golang-1.11-doc - Go programming language - documentation
 golang-1.11-go - Go programming language compiler, linker, compiled stdlib
 golang-1.11-src - Go programming language - source files
Closes: 924630
Changes:
 golang-1.11 (1.11.6-1) unstable; urgency=medium
 .
   * New upstream version 1.11.6, fixing CVE-2019-9741. (Closes: #924630)
   * Delete d/patches/0005-fix-MIPS-SGTconst-with-shift-rules.patch, applied
     upstream.
   * Refreshed other patches.
Checksums-Sha1:
 ccfbbbbb8fa4ba8fb92c4d3a454047f5f6155b0c 2583 golang-1.11_1.11.6-1.dsc
 3da44308ca85c4b78b62b735060ebb2479ec1dcf 21113406 golang-1.11_1.11.6.orig.tar.gz
 65377dd926fc2ea317ad89bcf4e5f29a63a15809 29452 golang-1.11_1.11.6-1.debian.tar.xz
 1292e3dece03973a4d17333ad93b2b982ef67a2b 6310 golang-1.11_1.11.6-1_source.buildinfo
Checksums-Sha256:
 32f66ed7023c65cfd17f28d74c995b8e3ce73c9a3ae42258e5f5c18367275c65 2583 golang-1.11_1.11.6-1.dsc
 a96da1425dcbec094736033a8a416316547f8100ab4b72c31d4824d761d3e133 21113406 golang-1.11_1.11.6.orig.tar.gz
 cdcef4a84a37012c8eb30c4317ae3192f746bd83bcf801783e316450598c97b4 29452 golang-1.11_1.11.6-1.debian.tar.xz
 fe7bf90fc14ca917dff9110dd92fa75fd9e8a720e8bbfa6704ba1eb7782cda91 6310 golang-1.11_1.11.6-1_source.buildinfo
Files:
 8fcbe514aef4b58831ae20bef82297d6 2583 devel optional golang-1.11_1.11.6-1.dsc
 1d1304eb9f2d0de162b46e17ed51baf1 21113406 devel optional golang-1.11_1.11.6.orig.tar.gz
 d745be6826b64a9039a61faabff955e1 29452 devel optional golang-1.11_1.11.6-1.debian.tar.xz
 66f95cf4084d700cef442c3b07690acf 6310 devel optional golang-1.11_1.11.6-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEiiBE+E9xaoW3f/djEd9ClMyjmJMFAlyOtsAACgkQEd9ClMyj
mJPwlw//d/Ped+hFBkY8w6uhMmX8o6Wvz8qt67JpM+E/vvr53mPcbNtvwylLUHmT
8qm/6S14V4nrqRL97Z1Nb4qRbzC8iT7biNnzfIreeexxcf5yk1OMX5uPmfe1ZpUM
QFFHri83n+U1fYnk88iYez6UxIyismbgc+3sxqfeR2A1hj4Dzn/Dh+AM7rr2zN4b
rNQXCWg9Q1mD4MzSdl2iCn2+sX68rXhNb3j9+Bq5cNI0OhF/9kTKVjkanPeK4mYm
57BjU33fkCMZYp74//i7zMdtA0LkwsepWhq2qEbEInwGryQCEBEIpdzaWt2w3kwg
M77PdfaN+jXp+b5VS1Dz9mgvvrz1/rwp72MjF1/B682dnkJiwzaoJjKcC3mwodl2
dvxUpA/ou8d1/6SpStMRpstV9SvQOIWGNkcsg2K3z75OHBKRn6qgbjY5KSrLDJHX
Fp32sqshJkPEMW1dalYbGZfq5Lz4/wnBZ/0HlNMofLlDj0Srq+/mzyKYt3CtqUw0
tjzIYffWfxlNdiIERA9r5YmOM6TDM7SPshNupmQ9+UUjxoM5498K5nH0EaCnRElP
6QoRQoTCxiwOQft+MuzSvBvg0DP2//tjMJLXMWX77wt672kGAybRUYfJ15hf5Zks
GhkpoEWnns6n24rZZubjBTwgqTsbGeFjQEY2yJruK2heisxD+6c=
=juMY
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.