Opened 2 months ago

Last modified 7 weeks ago

#31455 assigned defect

Redeploy meek-server instances using Go 1.11.13+ / 1.12.8+

Reported by: dcf Owned by: inf0
Priority: High Milestone:
Component: Circumvention/meek Version:
Severity: Normal Keywords:
Cc: inf0, sysrqb, phw, dcf Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by dcf)

These versions fix a denial-of-service vulnerability in the HTTP/2 server code.

https://groups.google.com/d/msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

  • net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.

The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.

This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.

  • net/url: parsing validation issue

url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.

We need to redeploy the following servers:

  • cymrubridge02 (backend for meek-azure, run by inf0)
  • BridgeDB Moat (run by sysrqb, phw)
  • starman (throttled meek.bamsoftware.com, run by dcf)
  • maenad (unthrottled meek.bamsoftware.com, run by dcf)
  • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

Child Tickets

Change History (3)

comment:1 Changed 7 weeks ago by dcf

Description: modified (diff)
Owner: changed from dcf to phw

I deployed these three using go1.12.9 at 2019-08-26 16:42:00:

  • starman (throttled meek.bamsoftware.com, run by dcf)
  • maenad (unthrottled meek.bamsoftware.com, run by dcf)
  • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

Now passing the baton to phw and inf0 for:

  • cymrubridge02 (backend for meek-azure, run by inf0)
  • BridgeDB Moat (run by sysrqb, phw)

comment:2 in reply to:  1 Changed 7 weeks ago by phw

Replying to dcf:

  • BridgeDB Moat (run by sysrqb, phw)


I just compiled and deployed meek-server from commit 23cdaf6 using golang version 1.12.9. The binary's SHA-256 checksum is 4f18b4793f80a727433a3edfdaa82bb6b278baea6584c4adb3fc5256147dfecf. The update should have worked. I could request a batch of obfs4 bridges over moat.

comment:3 Changed 7 weeks ago by dcf

Description: modified (diff)
Owner: changed from phw to inf0
Note: See TracTickets for help on using tickets.