moby/vendor/golang.org/x
Sebastiaan van Stijn 1cc1395fae
vendor: golang.org/x/net v0.4.0
golang.org/x/net contains a fix for CVE-2022-41717, which was addressed
in stdlib in go1.19.4 and go1.18.9;

> net/http: limit canonical header cache by bytes, not entries
>
> An attacker can cause excessive memory growth in a Go server accepting
> HTTP/2 requests.
>
> HTTP/2 server connections contain a cache of HTTP header keys sent by
> the client. While the total number of entries in this cache is capped,
> an attacker sending very large keys can cause the server to allocate
> approximately 64 MiB per open connection.
>
> This issue is also fixed in golang.org/x/net/http2 v0.4.0,
> for users manually configuring HTTP/2.

full diff: https://github.com/golang/net/compare/v0.2.0...v0.4.0

other dependency updates (due to circular dependencies):

- golang.org/x/sys v0.3.0: https://github.com/golang/sys/compare/v0.2.0...v0.3.0
- golang.org/x/text v0.5.0: https://github.com/golang/text/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4bbc37687e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:01:27 +01:00
..
crypto vendor: golang.org/x/crypto v0.2.0 2022-12-09 00:00:58 +01:00
net vendor: golang.org/x/net v0.4.0 2022-12-09 00:01:27 +01:00
oauth2 vendor: golang.org/x/oauth2 v0.1.0 2022-11-15 17:06:19 +01:00
sync vendor: golang.org/x/sync v0.1.0 2022-11-15 14:56:04 +01:00
sys vendor: golang.org/x/net v0.4.0 2022-12-09 00:01:27 +01:00
text vendor: golang.org/x/net v0.4.0 2022-12-09 00:01:27 +01:00
time vendor: golang.org/x/time v0.1.0 2022-11-15 14:56:12 +01:00