Severity

Low

Vendor

Google

Versions Affected

• Golang v1.4.2 and lower

Description

Several security issues were fixed in Go’s net / http package.

The CVE issue descriptions and fixes are linked below:

• CVE-2015-5739 – ‘Content Length’ treated as valid header: https://go-review.googlesource.com/#/c/11772/
• CVE-2015-5740 – Double content-length headers does not return 400 error: https://go-review.googlesource.com/#/c/11810/
• CVE-2015-5741 – Additional hardening, not sending Content-Length w/Transfer-Encoding, Closing connections:
• https://go-review.googlesource.com/#/c/11810/
• https://go-review.googlesource.com/#/c/12865/
• https://go-review.googlesource.com/#/c/13148/

Affected Products and Versions

Severity is low unless otherwise noted.

• BOSH: All versions of Cloud Foundry BOSH stemcells prior to v3094 are vulnerable to the aforementioned CVE.
• Cloud Foundry Runtime: all versions of cf-release prior to 219 are vulnerable to the aforementioned CVEs.
• Go Buildpack: all versions of the buildpack prior to 1.6.2 contain a vulnerable version of Go.

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry project recommends that Cloud Foundry Deployments using BOSH stemcell v3093 or earlier upgrade to v3094 or later, which contain the patched versions of the Linux kernel to resolve the aforementioned CVEs.
• The Cloud Foundry project recommends that Cloud Foundry Deployments using cf-release 218 or lower upgrade to 219 or higher to resolve the aforementioned CVEs.

Credit

Jed Denlea and Régis Leroy

References

• https://groups.google.com/forum/#!topic/golang-announce/iSIyW4lM4hY
• https://bosh.io/stemcells
• https://github.com/cloudfoundry/cf-release