Bugzilla – Bug 1079008
VUL-0: CVE-2017-1000098: golang: net/http: multipart ReadForm close file after copy
Last modified: 2018-03-07 14:10:40 UTC
The net/http package's Request.ParseMultipartForm method starts writing to
temporary files once the request body size surpasses the given "maxMemory"
limit. It was possible for an attacker to generate a multipart request crafted
such that the server ran out of file descriptors.
This fix is in go1.8, go1.9, go1.10 and in go1.7 >= 1.7.5
All our packages should have this fix already.
Also in go1.6 >= 1.6.4. All our instances of go1.6 already contain this version.