====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN554
_____________________________________________________________________

DATE                : 07/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Go versions prior to 1.15.1,
                                      1.14.8.

=====================================================================
https://groups.google.com/forum/#!topic/golang-announce/8wqlSbkLdPs
_____________________________________________________________________


Hi gophers,

We have just released Go 1.15.1 and Go 1.14.8 to address a recently
reported security issue. We recommend that all affected users update to
one of these releases (if you’re not sure which, choose Go 1.15.1).

When a Handler does not explicitly set the Content-Type header, the
net/http/cgi and net/http/fcgi packages would default to “text/html”,
which could cause a Cross-Site Scripting vulnerability if an attacker
can control any part of the contents of a response.

The Content-Type header is now set based on the contents of the first
Write using http.DetectContentType, which is consistent with the
behavior of the net/http package.

Although this protects some applications that validate the contents of
uploaded files, not setting the Content-Type header explicitly on any
attacker-controlled file is unsafe and should be avoided.

Thanks to RedTeam Pentesting GmbH for reporting this issue.

This issue is CVE-2020-24553 and Go issue golang.org/issue/40928.

Downloads are available at https://golang.org/dl for all supported
platforms.


Thank you,

Filippo and Roberto on behalf of the Go team


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41         +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================