Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2023-39325 [1.21 backport] #63427

Closed
gopherbot opened this issue Oct 6, 2023 · 4 comments
Closed

security: fix CVE-2023-39325 [1.21 backport] #63427

gopherbot opened this issue Oct 6, 2023 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.21.3

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #63417 to be considered for backport to the next 1.21 minor release.

@gopherbot please open backport issues
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Oct 6, 2023
@gopherbot gopherbot mentioned this issue Oct 6, 2023
Closed
@gopherbot gopherbot added this to the Go1.21.3 milestone Oct 6, 2023
@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Oct 6, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/534235 mentions this issue: [release-branch.go1.21] net/http: regenerate h2_bundle.go

gopherbot pushed a commit that referenced this issue Oct 10, 2023
@neild @gopherbot
[release-branch.go1.21] net/http: regenerate h2_bundle.go
24ae2d9 
Pull in a security fix from x/net/http2:
http2: limit maximum handler goroutines to MaxConcurrentStreamso

For #63417
Fixes #63427
Fixes CVE-2023-39325

Change-Id: I70626734e6d56edf508f27a5b055ddf96d806eeb
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047402
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/534235
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
@gopherbot
Copy link
Contributor Author

Closed by merging 24ae2d9 to release-branch.go1.21.

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/534218 mentions this issue: [internal-branch.go1.21-vendor] http2: limit maximum handler goroutines to MaxConcurrentStreams

gopherbot pushed a commit to golang/net that referenced this issue Oct 10, 2023
@neild @gopherbot
[internal-branch.go1.21-vendor] http2: limit maximum handler goroutin…
695775c 
…es to MaxConcurrentStreams

When the peer opens a new stream while we have MaxConcurrentStreams
handler goroutines running, defer starting a handler until one
of the existing handlers exits.

For golang/go#63417.
For golang/go#63427.
For CVE-2023-39325.

Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047391
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/534218
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/534415 mentions this issue: [release-branch.go1.21] all: tidy dependency versioning after release

gopherbot pushed a commit that referenced this issue Oct 10, 2023
@dmitshur @gopherbot
[release-branch.go1.21] all: tidy dependency versioning after release
9465990 
Done with:

go get golang.org/x/net@internal-branch.go1.21-vendor
go mod tidy
go mod vendor
go generate net/http  # zero diff since CL 534235 already did this

For #63417.
For #63427.
For CVE-2023-39325.

Change-Id: Ib258e0d8165760a1082e02c2f4c5ce7d2a3c3c90
Reviewed-on: https://go-review.googlesource.com/c/go/+/534415
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
@tbehling tbehling mentioned this issue Oct 10, 2023
Closed
11 tasks
@stefanb stefanb mentioned this issue Oct 11, 2023
Merged
6 tasks
@dusk125 dusk125 mentioned this issue Oct 11, 2023
Merged
@mozken mozken mentioned this issue Oct 12, 2023
Merged
@qwqcode qwqcode mentioned this issue Oct 12, 2023
Merged
@frzifus frzifus mentioned this issue Oct 13, 2023
Merged
awly pushed a commit to tailscale/go that referenced this issue Feb 7, 2024
@neild @awly
[release-branch.go1.21] net/http: regenerate h2_bundle.go
d6c286b 
Pull in a security fix from x/net/http2:
http2: limit maximum handler goroutines to MaxConcurrentStreamso

For golang#63417
Fixes golang#63427
Fixes CVE-2023-39325

Change-Id: I70626734e6d56edf508f27a5b055ddf96d806eeb
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047402
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/534235
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
awly pushed a commit to tailscale/go that referenced this issue Feb 7, 2024
@dmitshur @awly
[release-branch.go1.21] all: tidy dependency versioning after release
7433c10 
Done with:

go get golang.org/x/net@internal-branch.go1.21-vendor
go mod tidy
go mod vendor
go generate net/http  # zero diff since CL 534235 already did this

For golang#63417.
For golang#63427.
For CVE-2023-39325.

Change-Id: Ib258e0d8165760a1082e02c2f4c5ce7d2a3c3c90
Reviewed-on: https://go-review.googlesource.com/c/go/+/534415
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
JanDeDobbeleer pushed a commit to JanDeDobbeleer/go that referenced this issue Feb 12, 2024
@neild @JanDeDobbeleer
[release-branch.go1.21] net/http: regenerate h2_bundle.go
8ed32a7 
Pull in a security fix from x/net/http2:
http2: limit maximum handler goroutines to MaxConcurrentStreamso

For golang#63417
Fixes golang#63427
Fixes CVE-2023-39325

Change-Id: I70626734e6d56edf508f27a5b055ddf96d806eeb
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047402
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/534235
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
JanDeDobbeleer pushed a commit to JanDeDobbeleer/go that referenced this issue Feb 12, 2024
@dmitshur @JanDeDobbeleer
[release-branch.go1.21] all: tidy dependency versioning after release
3b6e0fa 
Done with:

go get golang.org/x/net@internal-branch.go1.21-vendor
go mod tidy
go mod vendor
go generate net/http  # zero diff since CL 534235 already did this

For golang#63417.
For golang#63427.
For CVE-2023-39325.

Change-Id: Ib258e0d8165760a1082e02c2f4c5ce7d2a3c3c90
Reviewed-on: https://go-review.googlesource.com/c/go/+/534415
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
@golang golang locked and limited conversation to collaborators Oct 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.21.3
Development

No branches or pull requests
2 participants
@dmitshur @gopherbot