diff mbox series

package/go: security bump to version 1.21.3

Message ID 20231011114736.311388-1-peter@korsgaard.com
State Accepted
Headers show
Series package/go: security bump to version 1.21.3 | expand

Commit Message

Peter Korsgaard Oct. 11, 2023, 11:47 a.m. UTC 
Fixes CVE-2023-39325: rapid stream resets can cause excessive work

A malicious HTTP/2 client which rapidly creates requests and immediately
resets them can cause excessive server resource consumption.  While the
total number of requests is bounded to the http2.Server.MaxConcurrentStreams
setting, resetting an in-progress request allows the attacker to create a
new request while the existing one is still executing.

go1.21.3 (released 2023-10-10) includes a security fix to the net/http
package.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/go/go.hash | 2 +-
 package/go/go.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Christian Stewart Oct. 11, 2023, 8:02 p.m. UTC | #1 
Hi Peter,

On Wed, Oct 11, 2023 at 4:47 AM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> Fixes CVE-2023-39325: rapid stream resets can cause excessive work
>
> A malicious HTTP/2 client which rapidly creates requests and immediately
> resets them can cause excessive server resource consumption.  While the
> total number of requests is bounded to the http2.Server.MaxConcurrentStreams
> setting, resetting an in-progress request allows the attacker to create a
> new request while the existing one is still executing.
>
> go1.21.3 (released 2023-10-10) includes a security fix to the net/http
> package.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  package/go/go.hash | 2 +-
>  package/go/go.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/go/go.hash b/package/go/go.hash
> index a2ec6b5923..9499f50964 100644
> --- a/package/go/go.hash
> +++ b/package/go/go.hash
> @@ -1,3 +1,3 @@
>  # From https://go.dev/dl
> -sha256  45e59de173baec39481854490d665b726cec3e5b159f6b4172e5ec7780b2c201  go1.21.2.src.tar.gz
> +sha256  186f2b6f8c8b704e696821b09ab2041a5c1ee13dcbc3156a13adcf75931ee488  go1.21.3.src.tar.gz
>  sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
> diff --git a/package/go/go.mk b/package/go/go.mk
> index 2c32e90817..ef27f32835 100644
> --- a/package/go/go.mk
> +++ b/package/go/go.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>
> -GO_VERSION = 1.21.2
> +GO_VERSION = 1.21.3
>  GO_SITE = https://storage.googleapis.com/golang
>  GO_SOURCE = go$(GO_VERSION).src.tar.gz

Reviewed-by: Christian Stewart <christian@aperture.us>

Thanks.
Peter Korsgaard Oct. 12, 2023, 2:38 p.m. UTC | #2 
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes CVE-2023-39325: rapid stream resets can cause excessive work
 > A malicious HTTP/2 client which rapidly creates requests and immediately
 > resets them can cause excessive server resource consumption.  While the
 > total number of requests is bounded to the http2.Server.MaxConcurrentStreams
 > setting, resetting an in-progress request allows the attacker to create a
 > new request while the existing one is still executing.

 > go1.21.3 (released 2023-10-10) includes a security fix to the net/http
 > package.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.
Peter Korsgaard Oct. 13, 2023, 6:44 p.m. UTC | #3 
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes CVE-2023-39325: rapid stream resets can cause excessive work
 > A malicious HTTP/2 client which rapidly creates requests and immediately
 > resets them can cause excessive server resource consumption.  While the
 > total number of requests is bounded to the http2.Server.MaxConcurrentStreams
 > setting, resetting an in-progress request allows the attacker to create a
 > new request while the existing one is still executing.

 > go1.21.3 (released 2023-10-10) includes a security fix to the net/http
 > package.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

For 2023.02.x and 2023.08.x I have instead bumped to 1.20.10 which
contains the same fix.
diff mbox series

Patch

diff --git a/package/go/go.hash b/package/go/go.hash
index a2ec6b5923..9499f50964 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@ 
 # From https://go.dev/dl
-sha256  45e59de173baec39481854490d665b726cec3e5b159f6b4172e5ec7780b2c201  go1.21.2.src.tar.gz
+sha256  186f2b6f8c8b704e696821b09ab2041a5c1ee13dcbc3156a13adcf75931ee488  go1.21.3.src.tar.gz
 sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index 2c32e90817..ef27f32835 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-GO_VERSION = 1.21.2
+GO_VERSION = 1.21.3
 GO_SITE = https://storage.googleapis.com/golang
 GO_SOURCE = go$(GO_VERSION).src.tar.gz