[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request - Go net/http library - HTTP smuggling
From:       Jason Buberel <jbuberel () google ! com>
Date:       2015-07-29 19:51:12
Message-ID: CA+s3sfEOMOLWgkLGTRxdEQ1f8KzJ2-oSuFpebd4U_x2y9Dz_WQ () mail ! gmail ! com
[Download RAW message or body]


Forian,

We do have a security@golang.org alias, and a proposal for a more formal
security review process <https://github.com/golang/go/issues/11502>, but I
agree that the process isn't clear enough currently.

In this particular case, the reporter sent a messages to go-dev@golang.org.
That was then forwarded to me for handling.

And I agree on the bundling. Is there another specific issue that you're
tracking? Feel free to contact me directly - jbuberel@google.com.

-jason

On Wed, Jul 29, 2015 at 12:16 PM Florian Weimer <fweimer@redhat.com> wrote:

> On 07/29/2015 05:15 PM, Jason Buberel wrote:
> > Hello OSS Security Community,
> >
> > The Go open source project has received notification of an HTTP request
> > smuggling vulnerability in the net/http library (
> > http://golang.org/pkg/net/http/). The vulnerability was identified in
> the
> > 1.4.2 release version (http://golang.org/dl) and in the 1.5 release
> branch.
>
> How does one report such things?
>
> Due to lack of published security contact information, I contacted the
> de-facto subsystem maintainer about the issue, but I have been ignored.
>
> (It would be nice to be able to bundle such security updates as far as
> possible, to avoid recompiling everything constantly.)
>
> --
> Florian Weimer / Red Hat Product Security
>


[prev in list] [next in list] [prev in thread] [next in thread]