Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[🐸 Frogbot] Update version of golang.org/x/net to 0.23.0 #134

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[🐸 Frogbot] Update version of golang.org/x/net to 0.23.0 #134

wants to merge 1 commit into from

Conversation

github-actions[bot]
Copy link
Contributor

🚨 This automated pull request was created by Frogbot and fixes the below:

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Medium		 github.com/go-git/go-git/v5:v5.11.0
github.com/grokify/mogo:v0.62.6
github.com/ktrysmt/go-bitbucket:v0.9.73
golang.org/x/net:v0.19.0
golang.org/x/oauth2:v0.15.0		 golang.org/x/net v0.19.0 [0.23.0] CVE-2023-45288

🔬 Research Details

Description:
The net/http package in Go is used for handling HTTP requests and responses.
HTTP/2 is a binary protocol where the client and server exchange binary frames instead of text lines as in HTTP/1.x. HTTP/2 resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include frame type, length, flags, stream identifier (ID), and payload.

The HEADERS frame type allows sending HTTP headers of, both, request and response. The HEADERS frame contains many flags.
The CONTINUATION frame type is similar to the HEADER frame, but it has just one flag: END_HEADERS. When it is not set, the peer knows that more headers are coming in the following CONTINUATION frames.

This mechanism allows an attacker to send an HTTP/2 stream with CONTINUATION frames, without setting the END_HEADERS flag in any of the frames. This can cause denial-of-service when sending an excessive number of these crafted frames due to caching all frames in memory.

Though the net/http package uses HTTP/2 by default, a Golang web server must have HTTPS configured to be vulnerable to exploitation.
The x/net/http2 package is vulnerable by default.

Remediation:

Development mitigations

From Golang version 1.6, the net/http package is using the HTTP/2 protocol by default when using HTTPS. You can disable HTTP/2 by setting Server.TLSNextProto (for servers) to a non-nil, empty map.

For example:

package main

import (
    "log"
    "net/http"
    "crypto/tls"
)

func main() {
    m := http.NewServeMux()
    srv := &http.Server{
        Handler:      m,
        Addr:         "127.0.0.1:8080",
        TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
    }
    log.Fatal(srv.ListenAndServe())
}

Alternatively, the following GODEBUG settings are also supported, which disables the HTTP/2 server support:

GODEBUG=http2server=0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@JFrog-Frogbot