go: multiple vulnerabilities (CVE-2020-14039, CVE-2020-15586)

CVE-2020-15586

Data race in certain net/http servers including ReverseProxy

Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.

Thanks to Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay Kauzlaric, and Gabe Rosenhouse for reporting this issue.
This issue is CVE-2020-15586 and Go issue golang.org/issue/34902.

CVE-2020-14039

X.509 verification ignores provided EKUs on Windows

On Windows, if VerifyOptions.Roots is nil, Certificate.Verify does not check the EKU requirements specified in VerifyOptions.KeyUsages.

Thanks to Niall Newman for reporting this issue.
This issue is CVE-2020-14039 and Go issue golang.org/issue/39360.

Affected branches

master
3.12-stable
~~3.11-stable~~

Edited Jul 18, 2020 by Sören Tempel

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information