0ct0pu5/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
39986 commits 14 branches 412 tags 338 MiB
Commit graph

7 commits

Author SHA1 Message Date
Cory Snider
2c22bd5280 vendor: golang.org/x/net v0.17.0 
full diff: https://github.com/golang/net/compare/ab34263943818b32f575efc978

This fixes the same CVE as go1.21.3 and go1.20.10;

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Dependency full diffs:
a3d24e80b04bd7...v0.17.0
https://github.com/golang/sys/compare/33da011f77ade50ff5b6a6fb4a
9a1e6d6b285809...v0.13.0
https://github.com/golang/text/compare/v0.3.3...v0.13.0
https://github.com/golang/crypto/compare/c1f2f97bffc9c53fc40a1a28a5
b460094c0050d9...v0.14.0

Signed-off-by: Cory Snider <csnider@mirantis.com>
 2023-10-23 16:37:52 -04:00
Sebastiaan van Stijn
3e2965831f
vendor: golang.org/x/text v0.3.3 
full diff: https://github.com/golang/text/compare/v0.3.2...v0.3.3

includes a fix for CVE-2020-14040

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-06-17 12:52:46 +02:00
Akihiro Suda
9a82a9a8ea vendor containerd, BuildKit, protobuf, grpc, and golang.org/x 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-03-03 10:25:20 +09:00
Vincent Demeester
b0d108aa6b
Bump a bunch of dependencies to more recent versions 
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
 2018-08-01 10:37:27 +02:00
Sebastiaan van Stijn
63f4bc5237
Bump vndr to 9909bb2b8a0b7ea464527b376dc50389c90df587 
This bumps vndr to 9909bb2b8a0b7ea464527b376dc50389c90df587
and revendors dependencies.

Includes a change that prunes go files with `+build ignore`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2017-07-10 14:05:13 -07:00
Akihiro Suda
5a1b06d7fd rerun vndr 
* run latest vndr so as to collect more LICENSE files
 * remove unused packages
 * vendor github.com/philhofer/fwd with LICENSE.md (MIT)
 * vendor github.com/bsphere/le_go with LICENSE (MIT)

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
 2017-03-08 02:29:34 +00:00
Tonis Tiigi
db37a86d37 vendor: update golang/net to c427ad74c 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
 2017-01-13 15:42:11 -08:00