commit e08bbd4926c344bcee94e1a3f5d563629dd121aa
author Damien Neil <dneil@google.com> Wed Jan 05 12:00:24 2022 -0800
committer Damien Neil <dneil@google.com> Fri Jan 07 23:44:33 2022 +0000
tree a3cdee4fcf83311d69f47600b3d74f904e6b35ef
parent 2cc2445529fc09a7d7fa175991d4ca03e2b01c1c

reports: add GO-2021-0157 for CVE-2015-5739

Fixes golang/vulndb#157

Change-Id: I055fe69ddfc4e594c9a4703f7d1cb6a2470b9951
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/375735
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>

reports/GO-2021-0157.yaml

diff --git a/reports/GO-2021-0157.yaml b/reports/GO-2021-0157.yaml
new file mode 100644
index 0000000..9657244
--- /dev/null
+++ b/reports/GO-2021-0157.yaml
@@ -0,0 +1,19 @@
+module: std
+package: net/textproto
+versions:
+- fixed: go1.4.3
+description: |
+  The MIME header parser treated spaces and hyphens
+  as equivalent, which can permit HTTP request smuggling.
+published: 2022-01-05T20:00:00Z
+cves:
+- CVE-2015-5739
+credit: Régis Leroy
+symbols:
+- CanonicalMIMEHeaderKey
+- canonicalMIMEHeaderKey
+links:
+  pr: https://go.dev/cl/11772
+  commit: https://go.googlesource.com/go/+/117ddcb83d7f42d6aa72241240af99ded81118e9
+  context:
+  - https://groups.google.com/g/golang-announce/c/iSIyW4lM4hY/m/ADuQR4DiDwAJ