Name | CVE-2017-1000098 |
Description | The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more) |
References | DLA-1123-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
golang-1.7 (PTS) | stretch | 1.7.4-2+deb9u1 | fixed |
| stretch (security) | 1.7.4-2+deb9u5 | fixed |
golang-1.8 (PTS) | stretch | 1.8.1-1+deb9u1 | fixed |
| stretch (security) | 1.8.1-1+deb9u5 | fixed |
The information below is based on the following data on fixed versions.
Notes
- golang-1.9 <not-affected> (Fixed before initial release to Debian)
- golang-1.8 <not-affected> (Fixed before initial release to Debian)
[jessie] - golang <ignored> (Minor issue)
https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ
https://golang.org/cl/30410
https://golang.org/issue/17965