This addresses the same CVE as is patched in go1.19.6. From that announcement:
> net/http: avoid quadratic complexity in HPACK decoding
>
> A maliciously crafted HTTP/2 stream could cause excessive CPU consumption
> in the HPACK decoder, sufficient to cause a denial of service from a small
> number of small requests.
>
> This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
> configuring HTTP/2.
>
> This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.
full diff: https://github.com/golang/net/compare/v0.5.0...v0.7.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a36286cf89)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update to the latest version that contains a fix for CVE-2022-27664;
f3363e06e7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 518179f63e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the replace rule, and use the version as specified by (indirect) dependencies:
full diff: e18ecbb051...69e39bad7d
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: ab34263943...6772e930b6
- http/httpproxy: match http scheme when selecting http_proxy
- drop support for pre-1.12 direct syscalls on darwin
- x/net/http2: reject HTTP/2 Content-Length headers containing a sign
- http2/h2i: use x/term instead of x/crypto/ssh/terminal
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
