Opened 2 weeks ago

Closed 3 days ago

#31889 closed defect (fixed)

Rebuild and redeploy broker and bridge using Go 1.12.10+ / 1.13.1+

Reported by: dcf Owned by: cohosh
Priority: Medium Milestone:
Component: Circumvention/Snowflake Version:
Severity: Normal Keywords:
Cc: arlolra, cohosh, phw, dcf Actual Points: .2
Parent ID: Points:
Reviewer: Sponsor:

Description

https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ

We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1).

net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.

It doesn't look like this is urgent for us, given the details of our deployment.

Child Tickets

Change History (4)

comment:1 Changed 3 days ago by cohosh

Status: newneeds_review

I just updated both the snowflake broker and bridge using Go version 1.12.10.

This also deploys the changes in #30830. On restarting, I saw what I thought was an unusual amount of TLS errors at the broker after update:

2019/10/11 14:24:52 http2: server: error reading preface from client [scrubbed]: read tcp [scrubbed]->[scrubbed]: read: connection reset by peer
2019/10/11 14:24:53 http2: server: error reading preface from client [scrubbed]: read tcp [scrubbed]->[scrubbed]: read: connection reset by peer
2019/10/11 14:24:55 http2: server: error reading preface from client [scrubbed]: read tcp [scrubbed]->[scrubbed]: read: connection reset by peer
2019/10/11 14:24:57 http: TLS handshake error from [scrubbed]: EOF
2019/10/11 14:24:57 http: TLS handshake error from [scrubbed]: EOF
2019/10/11 14:24:58 http2: server: error reading preface from client [scrubbed]: read tcp [scrubbed]->[scrubbed]: read: connection reset by peer
2019/10/11 14:25:03 http2: received GOAWAY [FrameHeader GOAWAY len=8], starting graceful shutdown

But after restarting with the old broker version again, it looks like about the same amount we were getting, just the errors weren't being drowned out by other messages in the logs.

I did confirm that I can bootstrap a full client connection with the new versions of the both bridge and broker.

comment:2 Changed 3 days ago by cohosh

Actual Points: .2
Owner: set to cohosh
Status: needs_reviewassigned

comment:3 Changed 3 days ago by cohosh

Status: assignedneeds_review

comment:4 Changed 3 days ago by dcf

Resolution: fixed
Status: needs_reviewclosed

Thanks for taking care of this.

It took me about 10 tries to get a working proxy, but then I was able to bootstrap through it.

Note: See TracTickets for help on using tickets.