Message ID | 20231011114736.311388-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | package/go: security bump to version 1.21.3 | expand |
Hi Peter, On Wed, Oct 11, 2023 at 4:47 AM Peter Korsgaard <peter@korsgaard.com> wrote: > > Fixes CVE-2023-39325: rapid stream resets can cause excessive work > > A malicious HTTP/2 client which rapidly creates requests and immediately > resets them can cause excessive server resource consumption. While the > total number of requests is bounded to the http2.Server.MaxConcurrentStreams > setting, resetting an in-progress request allows the attacker to create a > new request while the existing one is still executing. > > go1.21.3 (released 2023-10-10) includes a security fix to the net/http > package. > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/go/go.hash | 2 +- > package/go/go.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/go/go.hash b/package/go/go.hash > index a2ec6b5923..9499f50964 100644 > --- a/package/go/go.hash > +++ b/package/go/go.hash > @@ -1,3 +1,3 @@ > # From https://go.dev/dl > -sha256 45e59de173baec39481854490d665b726cec3e5b159f6b4172e5ec7780b2c201 go1.21.2.src.tar.gz > +sha256 186f2b6f8c8b704e696821b09ab2041a5c1ee13dcbc3156a13adcf75931ee488 go1.21.3.src.tar.gz > sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE > diff --git a/package/go/go.mk b/package/go/go.mk > index 2c32e90817..ef27f32835 100644 > --- a/package/go/go.mk > +++ b/package/go/go.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -GO_VERSION = 1.21.2 > +GO_VERSION = 1.21.3 > GO_SITE = https://storage.googleapis.com/golang > GO_SOURCE = go$(GO_VERSION).src.tar.gz Reviewed-by: Christian Stewart <christian@aperture.us> Thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes CVE-2023-39325: rapid stream resets can cause excessive work > A malicious HTTP/2 client which rapidly creates requests and immediately > resets them can cause excessive server resource consumption. While the > total number of requests is bounded to the http2.Server.MaxConcurrentStreams > setting, resetting an in-progress request allows the attacker to create a > new request while the existing one is still executing. > go1.21.3 (released 2023-10-10) includes a security fix to the net/http > package. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes CVE-2023-39325: rapid stream resets can cause excessive work > A malicious HTTP/2 client which rapidly creates requests and immediately > resets them can cause excessive server resource consumption. While the > total number of requests is bounded to the http2.Server.MaxConcurrentStreams > setting, resetting an in-progress request allows the attacker to create a > new request while the existing one is still executing. > go1.21.3 (released 2023-10-10) includes a security fix to the net/http > package. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> For 2023.02.x and 2023.08.x I have instead bumped to 1.20.10 which contains the same fix.
diff --git a/package/go/go.hash b/package/go/go.hash index a2ec6b5923..9499f50964 100644 --- a/package/go/go.hash +++ b/package/go/go.hash @@ -1,3 +1,3 @@ # From https://go.dev/dl -sha256 45e59de173baec39481854490d665b726cec3e5b159f6b4172e5ec7780b2c201 go1.21.2.src.tar.gz +sha256 186f2b6f8c8b704e696821b09ab2041a5c1ee13dcbc3156a13adcf75931ee488 go1.21.3.src.tar.gz sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE diff --git a/package/go/go.mk b/package/go/go.mk index 2c32e90817..ef27f32835 100644 --- a/package/go/go.mk +++ b/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.21.2 +GO_VERSION = 1.21.3 GO_SITE = https://storage.googleapis.com/golang GO_SOURCE = go$(GO_VERSION).src.tar.gz
Fixes CVE-2023-39325: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. go1.21.3 (released 2023-10-10) includes a security fix to the net/http package. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/go/go.hash | 2 +- package/go/go.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)