CVE-2021-31525 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Low
Remote	Yes
Type	Denial of service
Description	A security issue has been found in Go before version 1.16.4. ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1933	golang-golang-x-net	0.0.20191210-2		Low	Unknown
AVG-1927	go	2:1.16.3-1	2:1.16.4-1	Low	Fixed

References
https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc https://github.com/golang/go/issues/45710 https://github.com/golang/net/commit/89ef3d95e781148a0951956029c92a211477f7f9 https://github.com/golang/go/commit/d4adea20f01627098936e050d3a73922f7ebe08f

References

https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc
https://github.com/golang/go/issues/45710
https://github.com/golang/net/commit/89ef3d95e781148a0951956029c92a211477f7f9
https://github.com/golang/go/commit/d4adea20f01627098936e050d3a73922f7ebe08f