-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: insufficient sanitization of Host header [1.20 backport] #61076
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
Used during the release process for point releases
label
Jun 29, 2023
Change https://go.dev/cl/507357 mentions this issue: |
tatianab
added
release-blocker
CherryPickApproved
Used during the release process for point releases
and removed
release-blocker
labels
Jun 30, 2023
gopherbot
removed
the
CherryPickCandidate
Used during the release process for point releases
label
Jun 30, 2023
Change https://go.dev/cl/507905 mentions this issue: |
Change https://go.dev/cl/507906 mentions this issue: |
Closed by merging 312920c to release-branch.go1.20. |
gopherbot
pushed a commit
that referenced
this issue
Jul 6, 2023
Verify that the Host header we send is valid. Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" adding an X-Evil header to HTTP/1 requests. Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to header injection in the way HTTP/1 is, but x/net/http2 doesn't validate the header and will go into a retry loop when the server rejects it. CL 506995 adds the necessary validation to x/net/http2. For #60374 Fixes #61076 For CVE-2023-29406 Change-Id: I05cb6866a9bead043101954dfded199258c6dd04 Reviewed-on: https://go-review.googlesource.com/c/go/+/506996 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com> (cherry picked from commit 499458f) Reviewed-on: https://go-review.googlesource.com/c/go/+/507357 Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
AlexanderYastrebov
added a commit
to zalando/skipper
that referenced
this issue
Jul 13, 2023
Redis testcontainer fails to start due to due to testcontainers/testcontainers-go#1359 caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6 Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
AlexanderYastrebov
added a commit
to zalando/skipper
that referenced
this issue
Jul 13, 2023
Redis testcontainer fails to start due to due to testcontainers/testcontainers-go#1359 caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6 Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
AlexanderYastrebov
added a commit
to zalando/skipper
that referenced
this issue
Jul 13, 2023
Redis testcontainer fails to start due to testcontainers/testcontainers-go#1359 caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6 Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
AlexanderYastrebov
added a commit
to zalando/skipper
that referenced
this issue
Jul 14, 2023
Redis testcontainer fails to start due to testcontainers/testcontainers-go#1359 caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6 Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
AlexanderYastrebov
added a commit
to zalando/skipper
that referenced
this issue
Jul 15, 2023
Redis testcontainer fails to start due to testcontainers/testcontainers-go#1359 caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6 Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
caixw
added a commit
to issue9/assert
that referenced
this issue
Jul 21, 2023
golang/go#61076 添加了对 HOST 的验证, 原有的实现不再可行。
TomaszAIR
added a commit
to 3mdeb/meta-balena-engine
that referenced
this issue
Nov 2, 2023
Go used in kirkstone uses fix for CVE-2023-29406 which breaks docker/balena engine. see: - moby/moby#46614 - moby/moby#45935 - golang/go#61076 Signed-off-by: Tomasz Żyjewski <tomasz.zyjewski@3mdeb.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
@neild requested issue #60374 to be considered for backport to the next 1.20 minor release.
The text was updated successfully, but these errors were encountered: