Описание
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| golang-1.20 | fixed | 1.20.6-1 | package | |
| golang-1.19 | fixed | 1.19.11-1 | package | |
| golang-1.19 | no-dsa | bookworm | package | |
| golang-1.15 | removed | package | ||
| golang-1.15 | no-dsa | bullseye | package | |
| golang-1.11 | removed | package | ||
| golang-1.11 | postponed | buster | package |
Примечания
https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
https://github.com/golang/go/issues/60374
https://github.com/golang/go/commit/312920c00aac9897b2a0693e752390b5b0711a5a (go1.20.6)
https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b (go1.19.11)
EPSS
Связанные уязвимости
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
EPSS