reports: merge GO-2021-0269 and GO-2021-0226
GO-2021-0269 and GO-2021-0226 address the same CVE, so we should only
have 1 report. Data for GO-2021-0269 is moved to the additional packages
section of GO-2021-0226.
For golang/vulndb#226
For golang/vulndb#269
Change-Id: If3e707b850e0d7046fa9a824e41703d2d112aac4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/381397
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Vulndb-Deploy: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>
diff --git a/reports/GO-2021-0226.yaml b/reports/GO-2021-0226.yaml
index 887c58f..fabf8c0 100644
--- a/reports/GO-2021-0226.yaml
+++ b/reports/GO-2021-0226.yaml
@@ -1,5 +1,15 @@
module: std
package: net/http/cgi
+additional_packages:
+ - module: std
+ package: net/http/fcgi
+ symbols:
+ - response.Write
+ - response.WriteHeader
+ - response.writeCGIHeader
+ versions:
+ - fixed: go1.14.8
+ - fixed: go1.15.1
versions:
- fixed: go1.14.8
- fixed: go1.15.1
diff --git a/reports/GO-2021-0269.yaml b/reports/GO-2021-0269.yaml
deleted file mode 100644
index abf7273..0000000
--- a/reports/GO-2021-0269.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-module: std
-package: net/http/fcgi
-versions:
- - fixed: go1.14.8
- - fixed: go1.15.1
-description: |
- When a Handler does not explicitly set the Content-Type header, the the
- package would default to “text/html”, which could cause a Cross-Site Scripting
- vulnerability if an attacker can control any part of the contents of a
- response.
-
- The Content-Type header is now set based on the contents of the first Write
- using http.DetectContentType, which is consistent with the behavior of the
- net/http package.
-
- Although this protects some applications that validate the contents of
- uploaded files, not setting the Content-Type header explicitly on any
- attacker-controlled file is unsafe and should be avoided.
-published: 2022-01-13T03:44:55Z
-cves:
- - CVE-2020-24553
-credit: RedTeam Pentesting GmbH
-symbols:
- - response.Write
- - response.WriteHeader
- - response.writeCGIHeader
-links:
- pr: https://go.dev/cl/252179
- commit: https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833
- context:
- - https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs
- - https://go.dev/issue/40928