Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
build(deps): bump golang.org/x/net to v0.4.0 (#5464)
This fixes the latest finding of govulncheck -- we had thought GO-2022-1144 was fully addressed by updating golang to 1.19.4, but it seems like that was NOT the case: Vulnerability #1: GO-2022-1144 An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. Call stacks in your code: Error: server/server.go:477:18: github.com/open-policy-agent/opa/server.baseHTTPListener.ListenAndServe calls net/http.Server.Serve, which eventually calls golang.org/x/net/http2.Server.ServeConn Found in: golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591 Fixed in: golang.org/x/net/http2@v0.4.0 More info: https://pkg.go.dev/vuln/GO-2022-1144 Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
- Loading branch information