Go HTTP_PROXY environment variable Security Vulnerability (CVE-2016-5386)

Go HTTP_PROXY environment variable Security Vulnerability (CVE-2016-5386)
Go HTTP_PROXY environment variable Security Vulnerability (CVE-2016-5386)

Release date:
Updated on:

Affected Systems:

Go <1, 1.6

Description:

CVE (CAN) ID: CVE-2016-5386

Go, also known as golang, is a programming language developed by Google, featuring static strong types, compiled models, concurrent hairstyles, and garbage collection functions.

For the Go <1.6 net/http software package, there is a namespace conflict in RFC 3875 section 4.1.18, And the HTTP_PROXY environment variable cannot filter the constructed client data. Remote attackers can construct the Proxy header of an HTTP request to redirect the HTTP data stream of an application to any Proxy server.

<* Source: Kurt Seifried (kurt@seifried.org)
*>

Suggestion:

Vendor patch:

Go
--
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Https://golang.org/

Refer:
Https://httpoxy.org/
Http://www.kb.cert.org/vuls/id/797896
Https://bugzilla.redhat.com/show_bug.cgi? Id = 1353798

Getting started with Linux-installing Go in Linux

Install Go Language Pack in Ubuntu

Go language programming (HD) full-version ebook

Go language and beauty-surpassing "Hello World"

Why do I like the Go language?

Implementation of the Go language memory distributor

This article permanently updates the link address: