[security] Go 1.15.1 and Go 1.14.8 are released

2,287 views

Skip to first unread message

Filippo Valsorda

unread,

Sep 1, 2020, 12:56:45 PM9/1/20

to golang-nuts

Hi gophers,

We have just released Go 1.15.1 and Go 1.14.8 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.15.1).

When a Handler does not explicitly set the Content-Type header, the net/http/cgi and net/http/fcgi packages would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.

The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.

Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.

Thanks to RedTeam Pentesting GmbH for reporting this issue.

This issue is CVE-2020-24553 and Go issue golang.org/issue/40928.

Downloads are available at https://golang.org/dl for all supported platforms.

Thank you,

Filippo and Roberto on behalf of the Go team

Reply all

Reply to author

Forward

0 new messages