Bug 1227314 (CVE-2024-24791)

Summary: VUL-0: CVE-2024-24791 go1.21,go1.22: net/http: denial of service due to improper 100-continue handling
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412736/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-24791:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2024-07-02 21:28:23 UTC 
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Thanks to Geoff Franks for reporting this issue.

This is CVE-2024-24791 and Go issue https://go.dev/issue/67555.
Comment 1 OBSbugzilla Bot 2024-07-02 22:45:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1227314) was mentioned in
https://build.opensuse.org/request/show/1184953 Factory / go1.21
https://build.opensuse.org/request/show/1184954 Factory / go1.22
Comment 3 Maintenance Automation 2024-07-03 20:30:01 UTC 
SUSE-SU-2024:2295-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1218424, 1227314
CVE References: CVE-2024-24791
Maintenance Incident: [SUSE:Maintenance:34556](https://smelt.suse.de/incident/34556/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 go1.22-1.22.5-1.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2024-07-03 20:30:02 UTC 
SUSE-SU-2024:2294-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1227314
CVE References: CVE-2024-24791
Maintenance Incident: [SUSE:Maintenance:34555](https://smelt.suse.de/incident/34555/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 go1.21-1.21.12-1.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2024-07-05 12:30:03 UTC 
SUSE-SU-2024:2309-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1218424, 1227314
CVE References: CVE-2024-24791
Maintenance Incident: [SUSE:Maintenance:34558](https://smelt.suse.de/incident/34558/)
Sources used:
openSUSE Leap 15.6 (src):
 go1.22-1.22.5-150000.1.21.1
Development Tools Module 15-SP5 (src):
 go1.22-1.22.5-150000.1.21.1
Development Tools Module 15-SP6 (src):
 go1.22-1.22.5-150000.1.21.1
openSUSE Leap 15.5 (src):
 go1.22-1.22.5-150000.1.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2024-07-05 12:30:06 UTC 
SUSE-SU-2024:2308-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1227314
CVE References: CVE-2024-24791
Maintenance Incident: [SUSE:Maintenance:34557](https://smelt.suse.de/incident/34557/)
Sources used:
openSUSE Leap 15.5 (src):
 go1.21-1.21.12-150000.1.39.1
openSUSE Leap 15.6 (src):
 go1.21-1.21.12-150000.1.39.1
Development Tools Module 15-SP5 (src):
 go1.21-1.21.12-150000.1.39.1
Development Tools Module 15-SP6 (src):
 go1.21-1.21.12-150000.1.39.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 go1.21-1.21.12-150000.1.39.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 go1.21-1.21.12-150000.1.39.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 go1.21-1.21.12-150000.1.39.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 go1.21-1.21.12-150000.1.39.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 go1.21-1.21.12-150000.1.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.