CVE-2021-31525 log

Source
Severity Low
Remote Yes
Type Denial of service
Description
A security issue has been found in Go before version 1.16.4. ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server.  Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.
Group Package Affected Fixed Severity Status Ticket
AVG-1933 golang-golang-x-net 0.0.20191210-2 Low Vulnerable
AVG-1927 go 2:1.16.3-1 2:1.16.4-1 Low Fixed
References
https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc
https://github.com/golang/go/issues/45710
https://github.com/golang/net/commit/89ef3d95e781148a0951956029c92a211477f7f9
https://github.com/golang/go/commit/d4adea20f01627098936e050d3a73922f7ebe08f