CVE-2019-16276 log

Source
Severity High
Remote Yes
Type Access restriction bypass
Description
net/http (through net/textproto) in Go before 1.12.0 and 1.13.1 used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same connection by the proxy
Group Package Affected Fixed Severity Status Ticket
AVG-1050 go, go-pie 2:1.12.9-1 2:1.13.1-1 High Fixed
References
https://github.com/golang/go/issues/34540
https://groups.google.com/forum/#!msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LULL72EUUKIY4NWDZVJVN2LIB4MXHS5P/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q5MD2F7ATWSTB45ZJIPJHBAAHVRGRAKG/