[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #31890 [Circumvention/meek]: Redeploy meek-server instances using Go 1.12.10+ / 1.13.1+
#31890: Redeploy meek-server instances using Go 1.12.10+ / 1.13.1+
--------------------------------+--------------------------
Reporter: dcf | Owner: inf0
Type: task | Status: assigned
Priority: High | Milestone:
Component: Circumvention/meek | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------+--------------------------
Changes (by dcf):
* owner: dcf => inf0
Old description:
> https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
> > We have just released Go 1.13.1 and Go 1.12.10 to address a recently
> reported security issue. We recommend that all affected users update to
> one of these releases (if you’re not sure which, choose Go 1.13.1).
> >
> > net/http (through net/textproto) used to accept and normalize invalid
> HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.
> If a Go server is used behind an uncommon reverse proxy that accepts and
> forwards but doesn't normalize such invalid headers, the reverse proxy
> and the server can interpret the headers differently. This can lead to
> filter bypasses or [https://portswigger.net/blog/http-desync-attacks-
> request-smuggling-reborn request smuggling], the latter if requests from
> separate clients are multiplexed onto the same upstream connection by the
> proxy. Such invalid headers are now rejected by Go servers, and passed
> without normalization to Go client applications.
> >
> > The issue is CVE-2019-16276 and Go issue
> https://golang.org/issue/34540.
>
> We need to redeploy the following servers:
> * cymrubridge02 (backend for meek-azure, run by inf0)
> * ~~BridgeDB Moat (run by phw)~~
> * starman (throttled meek.bamsoftware.com, run by dcf)
> * maenad (unthrottled meek.bamsoftware.com, run by dcf)
> * GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)
>
> The Moat configuration uses a reverse proxy, so this is perhaps relevant
> to us.
New description:
https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
> We have just released Go 1.13.1 and Go 1.12.10 to address a recently
reported security issue. We recommend that all affected users update to
one of these releases (if you’re not sure which, choose Go 1.13.1).
>
> net/http (through net/textproto) used to accept and normalize invalid
HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.
If a Go server is used behind an uncommon reverse proxy that accepts and
forwards but doesn't normalize such invalid headers, the reverse proxy and
the server can interpret the headers differently. This can lead to filter
bypasses or [https://portswigger.net/blog/http-desync-attacks-request-
smuggling-reborn request smuggling], the latter if requests from separate
clients are multiplexed onto the same upstream connection by the proxy.
Such invalid headers are now rejected by Go servers, and passed without
normalization to Go client applications.
>
> The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.
We need to redeploy the following servers:
* cymrubridge02 (backend for meek-azure, run by inf0)
* ~~BridgeDB Moat (run by phw)~~
* ~~starman (throttled meek.bamsoftware.com, run by dcf)~~
* ~~maenad (unthrottled meek.bamsoftware.com, run by dcf)~~
* ~~GAEuploader (gaeuploader.meek.bamsoftware.com, run by dcf)~~
The Moat configuration uses a reverse proxy, so this is perhaps relevant
to us.
--
Comment:
I redeployed my meek-server instances using go1.12.10 at about 2019-10-10
21:30:00.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31890#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs