The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
{ "binaries": [ { "binary_name": "golang-1.8", "binary_version": "1.8.3-2ubuntu1" }, { "binary_name": "golang-1.8-doc", "binary_version": "1.8.3-2ubuntu1" }, { "binary_name": "golang-1.8-go", "binary_version": "1.8.3-2ubuntu1" }, { "binary_name": "golang-1.8-go-dbgsym", "binary_version": "1.8.3-2ubuntu1" }, { "binary_name": "golang-1.8-go-shared-dev", "binary_version": "1.8.3-2ubuntu1" }, { "binary_name": "golang-1.8-go-shared-dev-dbgsym", "binary_version": "1.8.3-2ubuntu1" }, { "binary_name": "golang-1.8-src", "binary_version": "1.8.3-2ubuntu1" }, { "binary_name": "libgolang-1.8-std1", "binary_version": "1.8.3-2ubuntu1" }, { "binary_name": "libgolang-1.8-std1-dbgsym", "binary_version": "1.8.3-2ubuntu1" } ], "availability": "No subscription required", "ubuntu_priority": "low" }
{ "binaries": [ { "binary_name": "golang-1.9", "binary_version": "1.9.4-1ubuntu1" }, { "binary_name": "golang-1.9-doc", "binary_version": "1.9.4-1ubuntu1" }, { "binary_name": "golang-1.9-go", "binary_version": "1.9.4-1ubuntu1" }, { "binary_name": "golang-1.9-go-dbgsym", "binary_version": "1.9.4-1ubuntu1" }, { "binary_name": "golang-1.9-src", "binary_version": "1.9.4-1ubuntu1" } ], "availability": "No subscription required", "ubuntu_priority": "low" }