Synopsis: Moderate: golang security, bug fix, and enhancement
Advisory ID: SLSA-2016:1538-1
Issue Date: 2016-08-03
CVE Numbers: CVE-2016-5386
—
The following packages have been upgraded to a newer upstream version:
golang (1.6.3).
Security Fix(es):
* An input-validation flaw was discovered in the Go programming language
built in CGI implementation, which set the environment variable
“HTTP_PROXY” using the incoming “Proxy” HTTP-request header. The
environment variable “HTTP_PROXY” is used by numerous web clients,
including Go’s net/http package, to specify a proxy server to use for HTTP
and, in some cases, HTTPS requests. This meant that when a CGI-based web
application ran, an attacker could specify a proxy server which the
application then used for subsequent outgoing requests, allowing a man-in-
the-middle attack. (CVE-2016-5386)
—
SL7
x86_64
golang-1.6.3-1.el7_2.1.x86_64.rpm
golang-bin-1.6.3-1.el7_2.1.x86_64.rpm
noarch
golang-docs-1.6.3-1.el7_2.1.noarch.rpm
golang-misc-1.6.3-1.el7_2.1.noarch.rpm
golang-src-1.6.3-1.el7_2.1.noarch.rpm
golang-tests-1.6.3-1.el7_2.1.noarch.rpm
– Scientific Linux Development Team
