2c22bd5280
full diff: https://github.com/golang/net/compare/ab34263943818b32f575efc978 This fixes the same CVE as go1.21.3 and go1.20.10; - net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487. Dependency full diffs: a3d24e80b04bd7...v0.17.0 https://github.com/golang/sys/compare/33da011f77ade50ff5b6a6fb4a 9a1e6d6b285809...v0.13.0 https://github.com/golang/text/compare/v0.3.3...v0.13.0 https://github.com/golang/crypto/compare/c1f2f97bffc9c53fc40a1a28a5 b460094c0050d9...v0.14.0 Signed-off-by: Cory Snider <csnider@mirantis.com> |
||
|---|---|---|
| .. | ||
| cloud.google.com/go | ||
| code.cloudfoundry.org/clock | ||
| github.com | ||
| go.etcd.io/bbolt | ||
| go.opencensus.io | ||
| golang.org/x | ||
| google.golang.org | ||
| gotest.tools/v3 | ||