Opened 10 months ago

Closed 9 months ago

#31890 closed task (fixed)

Redeploy meek-server instances using Go 1.12.10+ / 1.13.1+

Reported by: dcf Owned by: inf0
Priority: High Milestone:
Component: Circumvention/meek Version:
Severity: Normal Keywords:
Cc: inf0, phw, dcf Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by phw)

We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1).

net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

The issue is CVE-2019-16276 and Go issue

We need to redeploy the following servers:

  • cymrubridge02 (backend for meek-azure, run by inf0)
  • BridgeDB Moat (run by phw)
  • starman (throttled, run by dcf)
  • maenad (unthrottled, run by dcf)
  • GAEuploader (, run by dcf)

The Moat configuration uses a reverse proxy, so this is perhaps relevant to us.

Child Tickets

Change History (6)

comment:1 Changed 10 months ago by phw

I recompiled and redeployed meek-server based on commit ec018dd using golang in version 1.13.1. The SHA-256 hash of the resulting binary is 14a0691f43129dfc5d1fe053a04844b27d964664837dd3c7a5cdce2f1873bf41.

comment:2 Changed 10 months ago by phw

Description: modified (diff)

comment:3 Changed 10 months ago by dcf

Owner: set to dcf
Status: newassigned

comment:4 Changed 10 months ago by dcf

Description: modified (diff)
Owner: changed from dcf to inf0

I redeployed my meek-server instances using go1.12.10 at about 2019-10-10 21:30:00.

comment:5 Changed 9 months ago by sina

Redeployed meek-server with updated go:
go version go1.13.4 linux/amd64


comment:6 in reply to:  5 Changed 9 months ago by phw

Description: modified (diff)
Resolution: fixed
Status: assignedclosed

Replying to sina:

Redeployed meek-server with updated go:
go version go1.13.4 linux/amd64

Thanks, Sina! Time to close this ticket.

Note: See TracTickets for help on using tickets.