Austin Go(phers): it's almost that time again! Tomorrow (Weds/Jan15) is the January ATX Golang Meetup. Swing by for pizza, beer, and general nerdiness around Go -- 6:30pm at the Capital Factory (Antones):
home > posts
Austin Go(phers): it's that time again! Tonight is the November ATX Golang Meetup. Charles Southerland and I will both be speaking. Swing by for pizza, beer, and general nerdiness around Go. Tonight's meetup is at 7:00pm at the Capital Factory on floor 5 (in the "ACL" room):
Tonight's Go meetup in Austin, Texas is located within Capital Factory on the 16th floor in the Antone's room. The meeting starts at 6:30 and we have at least one talk queued up. There will be pizza, drinks, and generally nerdiness around Go!
ATX Golang Meetup is this Wednesday in Austin, Texas - https://www.meetup.com/atxgolang/events/301842145/
Have a neat Go project you want share? A short talk? Swing on by! There will pizza & drinks!
runZero.com (@runZeroInc) is hiring software engineers who love Go! These roles are 100% remote but require residence in the mainland US and a green card or citizenship https://www.runzero.com/about/careers/
Apply through the web site to get started and feel free to DM with any questions.
Wondering what we do? Grab a free trial and a community edition license for your homelab at https://www.runzero.com/try/
Looking for something to do in ~90 minutes over a meal? Drop by for the @runZeroInc Hour webcast today with me, @lorddimwit, and @blainsmith.
We're chatting about remote detection of the xz-utils affected SSH binaries, our upcoming research report, the Palo Alto Networks RCE and surprise #golang zero-day in gorilla/sessions, Binarly's epic lighttpd vulnerability and supply chain research, and much more!
https://runzero.zoom.us/webinar/register/1217102670048/WN_4Po_Qnx4S1Og3Plm9KyiZA#/registration
The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655
This issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.
https://github.com/golang/vulndb/issues/2730
If you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.
Huh. So the Gorilla project went into archive-only mode in 2022. The gorilla/sessions project opened an issue asking for a new maintainer, this issue was closed as "stale", and a final comment was added indicating that the project is archived: https://github.com/gorilla/sessions/issues/250
The Gorilla project website, however, states that as of July 2023, a new maintainer has been identified, and the gorilla/mux project is seeing recent commits, so hopefully the same maintainers are also managing gorilla/sessions. The gorilla/sessions CI automation is failing with a bad credential and it looks like the sessions project specifically hasn't seen much love lately. #golang #vulnerability
Looks like quite a few projects are using session.FilesystemStore: https://github.com/search?q=sessions.NewFilesystemStore+language%3Ago+&type=code
The watchTowr folks published an in-depth article today covering the Palo Alto Networks unauthenticated RCE at: https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
Even more impressive is they also disclosed a zero-day directory traversal vulnerability in the #golang gorilla/sessions package (used far and wide). The gorilla vulnerability only applies to code using the FilesystemStore, but it is still likely to impact a huge range of products and services. A pull request to fix this is open at https://github.com/gorilla/sessions/pull/274
Huge thanks to @alizthehax0r and the watchTowr team as well as @moloch of Bishop Fox for co-discovery (and providing a fix for) of the gorilla/sessions bug.