From nobody Wed Jul 03 08:31:17 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WDY052wSsz5MsJQ; Wed, 03 Jul 2024 08:31:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WDY052S4qz4L6R; Wed, 3 Jul 2024 08:31:17 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719995477; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dKXuBalsOQV5pOSypaoScJvCGtBKS0RiObjLSQ10t+c=; b=UUv14tIiVRjEZNZSmei62y/yyC7J6dmLGJ/xVgjOugcDtXT8U0rZvKzbQi2DRUoQ9Gh3TX lnwgKF9+2J53l1ExFnk+CrZJsBAOc6cSSgoHQDXAwH/iRRhlNBawcs8C7SN74eXMLR56F+ s+yqPQaoUP+vTac2n28SC3Um6Hfwzm8iwVmYUbJ0Qzcho991RlhmVfjejDWzyxRSO/uqAE TBBjOYY/1Qv/wqUgr0g3NF0a8e3tohLEGeMEdCaLVTGGGDbxBfWU3IhBYthYgfPCfEg99F PFotokGxW4TJFiMTooX4KAD7T6GYQC4BJJrZ+z9Jtq3qDp/9GmFOWxknLGiRQQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1719995477; a=rsa-sha256; cv=none; b=MAnwq1DlS6olSOjT1z+UsRTKIFf3kAeasbe0xc3MCfW4gLfof54YmBpLHNCheq7TfyVz0F G4lnUrtaH5VcqLcN7+vCNlgJ28sd8lUIQLyEpXgPBgdxZeymbyolhd+USMr6ZIe3gHxVZ0 ixty84p34JK6eCZ6XybSI5HpMtbdCFc4Y+DQDg0/PungzKM4pTz04jbMWCXhUtmMvMkmSR MZFWea+g0H3CrHkB2D9AZurKVTDRdcbHHcX1sr2L4Efu2MJl/+diZ21XrfLg1Gt+iFLKAm gm8JktCUSFwG6C8HfZmaCTx5SrQKewXvzSvZC3LpQYAn/eQnhfhiDd8LanKOYw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719995477; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dKXuBalsOQV5pOSypaoScJvCGtBKS0RiObjLSQ10t+c=; b=QTbasIxMWlS7i1od2cqfTSH8G4LtV2CF0GRJNZRPxpkB7gEtQrX9tD/sslRmSbroY5qAYa AekrJNsqcOKBKIBmGPzbb+f5+AHNJPLtMEnxM6+04YjZaLg6vjMCw9vi3B5TDURVb0nq8E tFrx/8V/LWXIA9ErERFvobulcpbscvhfZlUM3jbYAyfUhL2WMSDwQ7zE0MBiv21KZr8ctQ YV+jiVijhhNE4FrEo7RfijRjv3AqCYhxasalagiqlyy+aDGqIzU8eLvbzmadR4dwltKzaR p5PZ/ccKyrMiLsEOw4OGnsb/ExSGe9m4bJjZD24Wh8+YD0NHewRAiWKeVmxZAA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WDY051xlkzNqd; Wed, 3 Jul 2024 08:31:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4638VHpb059840; Wed, 3 Jul 2024 08:31:17 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4638VH69059837; Wed, 3 Jul 2024 08:31:17 GMT (envelope-from git) Date: Wed, 3 Jul 2024 08:31:17 GMT Message-Id: <202407030831.4638VH69059837@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Ashish SHUKLA Subject: git: a2efe54fd672 - main - security/vuxml: Document Go vulnerability List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ashish X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a2efe54fd672cf76e1392def2a2f43b294233fbc Auto-Submitted: auto-generated The branch main has been updated by ashish: URL: https://cgit.FreeBSD.org/ports/commit/?id=a2efe54fd672cf76e1392def2a2f43b294233fbc commit a2efe54fd672cf76e1392def2a2f43b294233fbc Author: Ashish SHUKLA AuthorDate: 2024-07-03 08:07:06 +0000 Commit: Ashish SHUKLA CommitDate: 2024-07-03 08:24:56 +0000 security/vuxml: Document Go vulnerability Security: CVE-2024-24791 --- security/vuxml/vuln/2024.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 992c9f1f2e3b..5346463db642 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,46 @@ + + go -- net/http: denial of service due to improper 100-continue handling + + + go122 + 1.22.5 + + + go121 + 1.21.12 + + + + +

The Go project reports:

+
+

net/http: denial of service due to improper 100-continue handling

+

The net/http HTTP/1.1 client mishandled the case where a + server responds to a request with an "Expect: 100-continue" + header with a non-informational (200 or higher) status. This + mishandling could leave a client connection in an invalid + state, where the next request sent on the connection will + fail.

+

An attacker sending a request to a + net/http/httputil.ReverseProxy proxy can exploit this + mishandling to cause a denial of service by sending "Expect: + 100-continue" requests which elicit a non-informational + response from the backend. Each such request leaves the + proxy with an invalid connection, and causes one subsequent + request using that connection to fail.

+
+ + + + CVE-2024-24791 + https://go.dev/issue/67555 + + + 2024-07-02 + 2024-07-03 + + + Apache httpd -- Multiple vulnerabilities