Security update to go1.4 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2536-1 Final 1 1 2016-10-14T09:45:15Z current 2016-10-14T09:45:15Z 2016-10-14T09:45:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update to go1.4 go1.4 was updated to fix the following vulnerabilities: - CVE-2016-5386: Remote attacker could have set the application's HTTP_PROXY environment variable via Proxy headers (boo#988487) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2016-1190 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/988487 SUSE Bug 988487 https://www.suse.com/security/cve/CVE-2016-5386/ SUSE CVE CVE-2016-5386 page SUSE Package Hub 12 go1.4-1.4.3-6.1 go1.4-doc-1.4.3-6.1 go1.4-1.4.3-6.1 as a component of SUSE Package Hub 12 go1.4-doc-1.4.3-6.1 as a component of SUSE Package Hub 12 The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. CVE-2016-5386 SUSE Package Hub 12:go1.4-1.4.3-6.1 SUSE Package Hub 12:go1.4-doc-1.4.3-6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5386.html CVE-2016-5386 https://bugzilla.suse.com/988484 SUSE Bug 988484 https://bugzilla.suse.com/988486 SUSE Bug 988486 https://bugzilla.suse.com/988487 SUSE Bug 988487 https://bugzilla.suse.com/988488 SUSE Bug 988488 https://bugzilla.suse.com/988489 SUSE Bug 988489 https://bugzilla.suse.com/988491 SUSE Bug 988491 https://bugzilla.suse.com/988492 SUSE Bug 988492 https://bugzilla.suse.com/989125 SUSE Bug 989125 https://bugzilla.suse.com/989174 SUSE Bug 989174