Synopsis: Moderate: golang security, bug fix, and enhancement Advisory ID: SLSA-2016:1538-1 Issue Date: 2016-08-03 CVE Numbers: CVE-2016-5386 -- The following packages have been upgraded to a newer upstream version: golang (1.6.3). Security Fix(es): * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HTTP_PROXY" using the incoming "Proxy" HTTP-request header. The environment variable "HTTP_PROXY" is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in- the-middle attack. (CVE-2016-5386) -- SL7 x86_64 golang-1.6.3-1.el7_2.1.x86_64.rpm golang-bin-1.6.3-1.el7_2.1.x86_64.rpm noarch golang-docs-1.6.3-1.el7_2.1.noarch.rpm golang-misc-1.6.3-1.el7_2.1.noarch.rpm golang-src-1.6.3-1.el7_2.1.noarch.rpm golang-tests-1.6.3-1.el7_2.1.noarch.rpm - Scientific Linux Development Team