Name | CVE-2015-5740 |
Description | The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 795106 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
golang (PTS) | jessie, jessie (lts) | 2:1.3.3-1+deb8u5 | vulnerable |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
golang | source | (unstable) | 2:1.4.2-4 | 795106 |
[jessie] - golang <no-dsa> (Minor issue)
[wheezy] - golang <no-dsa> (Minor issue)
https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f
https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e
[jessie] - golang <ignored> (Minor issue, request smuggling, net/http server-side, go tooling not impacted, requires rebuilding reverse-dependencies)