Skip to content
Snippets Groups Projects
New look: Off

Redeploy meek-server instances using Go 1.12.10+ / 1.13.1+

    • Closed (moved) Issue created by David Fifield @dcf

    https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ

    We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1).

    net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

    The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.

    We need to redeploy the following servers:

    • cymrubridge02 (backend for meek-azure, run by inf0)
    • BridgeDB Moat (run by phw)
    • starman (throttled meek.bamsoftware.com, run by dcf)
    • maenad (unthrottled meek.bamsoftware.com, run by dcf)
    • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

    The Moat configuration uses a reverse proxy, so this is perhaps relevant to us.

    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items 0

    • No child items are currently assigned. Use child items to break down this issue into smaller parts.

    Activity

    • David Fifield added component::circumvention/meek owner::inf0 priority::high resolution::fixed severity::normal status::closed type::task labels

      added component::circumvention/meek owner::inf0 priority::high resolution::fixed severity::normal status::closed type::task labels

    • Philipp Winter
      Philipp Winter @phw ·

      I recompiled and redeployed meek-server based on commit ec018dd using golang in version 1.13.1. The SHA-256 hash of the resulting binary is 14a0691f43129dfc5d1fe053a04844b27d964664837dd3c7a5cdce2f1873bf41.

    • Philipp Winter
      Philipp Winter @phw ·

      Trac:
      Description: https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ

      We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1).

      net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

      The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

      The Moat configuration uses a reverse proxy, so this is perhaps relevant to us.

      to

      https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ

      We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1).

      net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

      The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

      The Moat configuration uses a reverse proxy, so this is perhaps relevant to us.

    • D
      David Fifield @dcf ·
      Author

      Trac:
      Owner: N/A to dcf
      Status: new to assigned

    • D
      David Fifield @dcf ·
      Author

      I redeployed my meek-server instances using go1.12.10 at about 2019-10-10 21:30:00.

      Trac:
      Owner: dcf to inf0
      Description: https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ

      We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1).

      net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

      The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

      The Moat configuration uses a reverse proxy, so this is perhaps relevant to us.

      to

      https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ

      We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1).

      net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

      The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

      The Moat configuration uses a reverse proxy, so this is perhaps relevant to us.

    • Sina Rabbani
      Sina Rabbani @sina ·

      Redeployed meek-server with updated go: go version go1.13.4 linux/amd64

      --Sina

    • Philipp Winter
      Philipp Winter @phw ·

      Replying to sina:

      Redeployed meek-server with updated go: go version go1.13.4 linux/amd64

      Thanks, Sina! Time to close this ticket.

      Trac:
      Status: assigned to closed
      Description: https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ

      We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1).

      net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

      The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

      The Moat configuration uses a reverse proxy, so this is perhaps relevant to us.

      to

      https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ

      We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1).

      net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

      The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.

      We need to redeploy the following servers:

      • cymrubridge02 (backend for meek-azure, run by inf0)
      • BridgeDB Moat (run by phw)
      • starman (throttled meek.bamsoftware.com, run by dcf)
      • maenad (unthrottled meek.bamsoftware.com, run by dcf)
      • GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)

      The Moat configuration uses a reverse proxy, so this is perhaps relevant to us.
      Resolution: N/A to fixed

    • Trac closed

      closed

    • Trac moved to tpo/anti-censorship/pluggable-transports/meek#31890 (closed)

      moved to tpo/anti-censorship/pluggable-transports/meek#31890 (closed)

    Please register or sign in to reply