[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #31889 [Circumvention/Snowflake]: Rebuild and redeploy broker and bridge using Go 1.12.10+ / 1.13.1+

To: undisclosed-recipients: ;
Subject: [tor-bugs] #31889 [Circumvention/Snowflake]: Rebuild and redeploy broker and bridge using Go 1.12.10+ / 1.13.1+
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 27 Sep 2019 20:55:12 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 27 Sep 2019 16:55:22 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#31889: Rebuild and redeploy broker and bridge using Go 1.12.10+ / 1.13.1+
-----------------------------------------+--------------------
     Reporter:  dcf                      |      Owner:  (none)
         Type:  defect                   |     Status:  new
     Priority:  Medium                   |  Milestone:
    Component:  Circumvention/Snowflake  |    Version:
     Severity:  Normal                   |   Keywords:
Actual Points:                           |  Parent ID:
       Points:                           |   Reviewer:
      Sponsor:                           |
-----------------------------------------+--------------------
 https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
 > We have just released Go 1.13.1 and Go 1.12.10 to address a recently
 reported security issue. We recommend that all affected users update to
 one of these releases (if you’re not sure which, choose Go 1.13.1).
 >
 > net/http (through net/textproto) used to accept and normalize invalid
 HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.
 If a Go server is used behind an uncommon reverse proxy that accepts and
 forwards but doesn't normalize such invalid headers, the reverse proxy and
 the server can interpret the headers differently. This can lead to filter
 bypasses or [https://portswigger.net/blog/http-desync-attacks-request-
 smuggling-reborn request smuggling], the latter if requests from separate
 clients are multiplexed onto the same upstream connection by the proxy.
 Such invalid headers are now rejected by Go servers, and passed without
 normalization to Go client applications.
 >
 > The issue is CVE-2019-16276 and Go issue https://golang.org/issue/34540.

 It doesn't look like this is urgent for us, given the details of our
 deployment.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31889>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #31886 [Applications/Tor Browser]: ko bundles are broken - XML Pasing Error
Next by Author: Re: [tor-bugs] #31324 [Applications/Tor Browser]: Spoof the Tor Browser time displayed to websites if clocks are wrong
Previous by thread: [tor-bugs] #31888 [Applications/Tor Browser]: Create unit test in wine to validate widl's output when building IA2Accessible interfaces
Next by thread: [tor-bugs] #31890 [Circumvention/meek]: Redeploy meek-server instances using Go 1.12.10+ / 1.13.1+
Index(es):
- Author
- Thread