Golang 1.4.3 CVE Fixes


Severity

Low

Vendor

Google

Versions Affected
  • Golang v1.4.2 and lower
Description

Several security issues were fixed in Go’s net / http package.

The CVE issue descriptions and fixes are linked below:

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • BOSH: All versions of Cloud Foundry BOSH stemcells prior to v3094 are vulnerable to the aforementioned CVE.
  • Cloud Foundry Runtime: all versions of cf-release prior to 219 are vulnerable to the aforementioned CVEs.
  • Go Buildpack: all versions of the buildpack prior to 1.6.2 contain a vulnerable version of Go.
  • Products in the PCF Suite which reference BOSH stemcell v3093 or earlier are vulnerable to the aforementioned CVE:
    • Ops Manager v1.5.6 or earlier
    • Elastic Runtime v1.5.5 or earlier
    • MySQL for Pivotal Cloud Foundry v1.6.2 or earlier
    • Session State Caching Powered by Pivotal Gemfire v1.0.2 or earlier
    • RabbitMQ for Pivotal Cloud Foundry v1.4.4 or earlier
    • Redis for Pivotal Cloud Foundry v1.4.8 or earlier
Mitigation

Users of affected versions should apply the following mitigation:

Credit

Jed Denlea and Régis Leroy

References