Google Git
Sign in
go / vulndb / c3bbf67413adaa677bd64fd6be3bacc1ffeffe7e^! / .
commitc3bbf67413adaa677bd64fd6be3bacc1ffeffe7e[log] [tgz]
authorJulie Qiu <julieqiu@google.com>Thu Jan 27 13:48:52 2022 -0500
committerJulie Qiu <julie@golang.org>Fri Feb 18 17:55:23 2022 +0000
tree419a457c86bea88393e6683f4bd149a65fb069ec
parent2bdee207705b98e38c70c05079d48d20ddc42b72 [diff]
reports: merge GO-2021-0269 and GO-2021-0226

GO-2021-0269 and GO-2021-0226 address the same CVE, so we should only
have 1 report. Data for GO-2021-0269 is moved to the additional packages
section of GO-2021-0226.

For golang/vulndb#226
For golang/vulndb#269

Change-Id: If3e707b850e0d7046fa9a824e41703d2d112aac4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/381397
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Vulndb-Deploy: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>

diff --git a/reports/GO-2021-0226.yaml b/reports/GO-2021-0226.yaml
index 887c58f..fabf8c0 100644
--- a/reports/GO-2021-0226.yaml
+++ b/reports/GO-2021-0226.yaml

@@ -1,5 +1,15 @@
 module: std
 package: net/http/cgi
+additional_packages:
+  - module: std
+    package: net/http/fcgi
+    symbols:
+      - response.Write
+      - response.WriteHeader
+      - response.writeCGIHeader
+    versions:
+      - fixed: go1.14.8
+      - fixed: go1.15.1
 versions:
   - fixed: go1.14.8
   - fixed: go1.15.1

diff --git a/reports/GO-2021-0269.yaml b/reports/GO-2021-0269.yaml
deleted file mode 100644
index abf7273..0000000
--- a/reports/GO-2021-0269.yaml
+++ /dev/null

@@ -1,32 +0,0 @@
-module: std
-package: net/http/fcgi
-versions:
-  - fixed: go1.14.8
-  - fixed: go1.15.1
-description: |
-    When a Handler does not explicitly set the Content-Type header, the the
-    package would default to “text/html”, which could cause a Cross-Site Scripting
-    vulnerability if an attacker can control any part of the contents of a
-    response.
-
-    The Content-Type header is now set based on the contents of the first Write
-    using http.DetectContentType, which is consistent with the behavior of the
-    net/http package.
-
-    Although this protects some applications that validate the contents of
-    uploaded files, not setting the Content-Type header explicitly on any
-    attacker-controlled file is unsafe and should be avoided.
-published: 2022-01-13T03:44:55Z
-cves:
-  - CVE-2020-24553
-credit: RedTeam Pentesting GmbH
-symbols:
-  - response.Write
-  - response.WriteHeader
-  - response.writeCGIHeader
-links:
-    pr: https://go.dev/cl/252179
-    commit: https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833
-    context:
-      - https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs
-      - https://go.dev/issue/40928