Skip to content
Snippets Groups Projects
New look: Off

Redeploy meek-server instances using Go 1.11.13+ / 1.12.8+

    • Closed (moved) Issue created by David Fifield @dcf

    These versions fix a denial-of-service vulnerability in the HTTP/2 server code.

    https://groups.google.com/d/msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

    We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

    • net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

      net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.

      The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.

      This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.

    • net/url: parsing validation issue

      url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

      The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.

    We need to redeploy the following servers:

    • cymrubridge02 (backend for meek-azure, run by inf0)
    • BridgeDB Moat (run by sysrqb, phw)
    • starman (throttled meek.bamsoftware.com, run by dcf)
    • maenad (unthrottled meek.bamsoftware.com, run by dcf)
    • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)
    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items 0

    • No child items are currently assigned. Use child items to break down this issue into smaller parts.

    Activity

    • David Fifield added component::circumvention/meek owner::sina priority::high resolution::fixed severity::normal status::closed type::defect labels

      added component::circumvention/meek owner::sina priority::high resolution::fixed severity::normal status::closed type::defect labels

    • D
      David Fifield @dcf ·
      Author

      I deployed these three using go1.12.9 at 2019-08-26 16:42:00:

      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

      Now passing the baton to phw and inf0 for:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by sysrqb, phw)

      Trac:
      Description: These versions fix a denial-of-service vulnerability in the HTTP/2 server code.

      https://groups.google.com/d/msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

      We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

      • net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

        net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.

        The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.

        This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.

      • net/url: parsing validation issue

        url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

        The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by sysrqb, phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

      to

      These versions fix a denial-of-service vulnerability in the HTTP/2 server code.

      https://groups.google.com/d/msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

      We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

      • net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

        net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.

        The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.

        This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.

      • net/url: parsing validation issue

        url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

        The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by sysrqb, phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)
        Owner: dcf to phw
    • Philipp Winter
      Philipp Winter @phw ·

      Replying to dcf:

      • BridgeDB Moat (run by sysrqb, phw)

      I just compiled and deployed meek-server from commit 23cdaf6 using golang version 1.12.9. The binary's SHA-256 checksum is 4f18b4793f80a727433a3edfdaa82bb6b278baea6584c4adb3fc5256147dfecf. The update should have worked. I could request a batch of obfs4 bridges over moat.

    • D
      David Fifield @dcf ·
      Author

      Trac:
      Owner: phw to inf0
      Description: These versions fix a denial-of-service vulnerability in the HTTP/2 server code.

      https://groups.google.com/d/msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

      We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

      • net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

        net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.

        The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.

        This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.

      • net/url: parsing validation issue

        url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

        The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by sysrqb, phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

      to

      These versions fix a denial-of-service vulnerability in the HTTP/2 server code.

      https://groups.google.com/d/msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

      We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

      • net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

        net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.

        The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.

        This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.

      • net/url: parsing validation issue

        url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

        The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by sysrqb, phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)
    • Sina Rabbani
      Sina Rabbani @sina ·

      I don't have access to the inf0 user, please make 'sina' own this so I can close.

      --Sina

    • D
      David Fifield @dcf ·
      Author

      Sorry about the username confusion. Changed the owner to sina.

      Trac:
      Cc: inf0, sysrqb, phw, dcf to inf0, sysrqb, phw, dcf, sina
      Owner: inf0 to sina

    • Philipp Winter
      Philipp Winter @phw ·

      Sina updated to go1.13.4 so we're all good.

      Trac:
      Status: assigned to closed
      Resolution: N/A to fixed
      Description: These versions fix a denial-of-service vulnerability in the HTTP/2 server code.

      https://groups.google.com/d/msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

      We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

      • net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

        net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.

        The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.

        This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.

      • net/url: parsing validation issue

        url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

        The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by sysrqb, phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

      to

      These versions fix a denial-of-service vulnerability in the HTTP/2 server code.

      https://groups.google.com/d/msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

      We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8).

      • net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

        net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.

        The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.

        This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.

      • net/url: parsing validation issue

        url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.

        The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by sysrqb, phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)
    • Trac closed

      closed

    • Trac moved to tpo/anti-censorship/pluggable-transports/meek#31455 (closed)

      moved to tpo/anti-censorship/pluggable-transports/meek#31455 (closed)

    Please register or sign in to reply