Opened 4 weeks ago

Closed 3 weeks ago

#31454 closed defect (fixed)

Rebuild and redeploy broker and bridge using Go 1.11.13+ / 1.12.8+

Reported by: dcf Owned by: phw
Priority: High Milestone:
Component: Circumvention/Snowflake Version:
Severity: Normal Keywords:
Cc: arlolra, cohosh, phw, dcf Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

These versions fix a denial-of-service vulnerability in the HTTP/2 server code.

https://groups.google.com/d/msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

  • net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.

The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.

This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.

  • net/url: parsing validation issue

url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.

Child Tickets

Change History (2)

comment:1 Changed 3 weeks ago by phw

Owner: set to phw
Status: newassigned

comment:2 Changed 3 weeks ago by phw

Resolution: fixed
Status: assignedclosed

I compiled the new server and broker with go version 1.12.9 based on commit 0ef7c6f. I just updated both binaries based on our survival guides. The new SHA-1 hashes are:

  • Server: 9034b82e06ac2a206998630847afdaa52e7ffd00
  • Broker: fb7010e6d7382f76cf6f9d57dd715ed6da56a44a
Note: See TracTickets for help on using tickets.