Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[26.0 backport] vendor: golang.org/x/sys v0.18.0, golang.org/x/term v0.18.0, golang.org/x/crypto v0.21.0, golang.org/x/net v0.23.0 #4999

Merged
merged 4 commits into from
Apr 10, 2024

Conversation

thaJeztah
Copy link
Member


vendor: golang.org/x/sys v0.18.0

full diff: golang/sys@v0.16.0...v0.18.0

vendor: golang.org/x/term v0.18.0

no changes in vendored code

full diff: golang/term@v0.15.0...v0.18.0

vendor: golang.org/x/net v0.22.0, golang.org/x/crypto v0.21.0

full diffs changes relevant to vendored code:

vendor: golang.org/x/net v0.23.0

full diff: golang/net@v0.22.0...v0.23.0

Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2
and go1.21.9;

http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process
all HEADERS and CONTINUATION frames on a connection.
When a request's headers exceed MaxHeaderBytes, we don't
allocate memory to store the excess headers but we do
parse them. This permits an attacker to cause an HTTP/2
endpoint to read arbitrary amounts of data, all associated
with a request which is going to be rejected.

Set a limit on the amount of excess header frames we
will process before closing a connection.

Thanks to Bartek Nowotarski for reporting this issue.

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

full diff: golang/sys@v0.16.0...v0.18.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9a2133f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
no changes in vendored code

full diff: golang/term@v0.15.0...v0.18.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c7a50eb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diffs changes relevant to vendored code:

- golang/net@v0.19.0...v0.22.0
    - http2: remove suspicious uint32->v conversion in frame code
    - http2: send an error of FLOW_CONTROL_ERROR when exceed the maximum octets
- golang/crypto@v0.17.0...v0.21.0
    - (no changes in vendored code)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4745b95)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: golang/net@v0.22.0...v0.23.0

Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2
and go1.21.9;

> http2: close connections when receiving too many headers
>
> Maintaining HPACK state requires that we parse and process
> all HEADERS and CONTINUATION frames on a connection.
> When a request's headers exceed MaxHeaderBytes, we don't
> allocate memory to store the excess headers but we do
> parse them. This permits an attacker to cause an HTTP/2
> endpoint to read arbitrary amounts of data, all associated
> with a request which is going to be rejected.
>
> Set a limit on the amount of excess header frames we
> will process before closing a connection.
>
> Thanks to Bartek Nowotarski for reporting this issue.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5fcbbde)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 26.0.1 milestone Apr 10, 2024
@thaJeztah thaJeztah self-assigned this Apr 10, 2024
@thaJeztah thaJeztah requested a review from vvoland April 10, 2024 07:44
@vvoland vvoland merged commit 57d2fbb into docker:26.0 Apr 10, 2024
86 checks passed
@thaJeztah thaJeztah deleted the 26.0_backport_bump_x_net branch April 10, 2024 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants