CESA-2016:1538 -- centos 7 golangID: oval:org.secpod.oval:def:203980 | Date: (C)2016-08-09 (M)2022-10-10 |
Class: PATCH | Family: unix |
The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang . Security Fix: * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HTTP_PROXY" using the incoming "Proxy" HTTP-request header. The environment variable "HTTP_PROXY" is used by numerous web clients, including Go"s net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack. Red Hat would like to thank Scott Geary for reporting this issue.