ALAS-2016-731

Amazon Linux 1 (EOL) Security Advisory: ALAS-2016-731
Advisory Released Date: 2016-08-17
Advisory Updated Date: 2016-08-17

Severity: Medium

References: CVE-2016-5386
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HTTP_PROXY" using the incoming "Proxy" HTTP-request header. The environment variable "HTTP_PROXY" is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack.

Affected Packages:

golang

Issue Correction:
Run yum update golang to update your system.

New Packages:

i686:
    golang-bin-1.5.3-1.22.amzn1.i686
    golang-1.5.3-1.22.amzn1.i686

noarch:
    golang-docs-1.5.3-1.22.amzn1.noarch
    golang-src-1.5.3-1.22.amzn1.noarch
    golang-tests-1.5.3-1.22.amzn1.noarch
    golang-misc-1.5.3-1.22.amzn1.noarch

src:
    golang-1.5.3-1.22.amzn1.src

x86_64:
    golang-1.5.3-1.22.amzn1.x86_64
    golang-bin-1.5.3-1.22.amzn1.x86_64

Additional References

Red Hat: CVE-2016-5386

Mitre: CVE-2016-5386