#31889: Rebuild and redeploy broker and bridge using Go 1.12.10+ / 1.13.1+
-----------------------------------------+--------------------
Reporter: dcf | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Circumvention/Snowflake | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-----------------------------------------+--------------------
https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
> We have just released Go 1.13.1 and Go 1.12.10 to address a recently
reported security issue. We recommend that all affected users update to
one of these releases (if you’re not sure which, choose Go 1.13.1).
>
> net/http (through net/textproto) used to accept and normalize invalid
HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.
If a Go server is used behind an uncommon reverse proxy that accepts and
forwards but doesn't normalize such invalid headers, the reverse proxy and
the server can interpret the headers differently. This can lead to filter
bypasses or [https://portswigger.net/blog/http-desync-attacks-request-
smuggling-reborn request smuggling], the latter if requests from separate
clients are multiplexed onto the same upstream connection by the proxy.
Such invalid headers are now rejected by Go servers, and passed without
normalization to Go client applications.
>
> The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.
It doesn't look like this is urgent for us, given the details of our
deployment.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31889>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online