net/http: limit growth of header canonicalization cache #50058
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
|
Change https://golang.org/cl/370574 mentions this issue: |
|
Change https://golang.org/cl/370575 mentions this issue: |
|
https://golang.org/cl/369794 is the fix on x/net. |
|
Reopening for bundling into Go 1.18. |
FiloSottile
added
NeedsFix
|
Change https://golang.org/cl/370579 mentions this issue: |
FiloSottile
changed the title
|
@gopherbot please open backport issues, this is CVE-2021-44716. |
This was referenced Dec 9, 2021
|
Backport issue(s) opened: #50064 (for 1.16), #50065 (for 1.17). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
josharian
pushed a commit
to tailscale/go
that referenced
this issue
Dec 9, 2021
Pull in security fix
84cba54 http2: cap the size of the server's canonical header cache
Updates golang#50058
Fixes CVE-2021-44716
Change-Id: Ia89e3d22a173c6cb83f03608d5186fcd08f2956c
Reviewed-on: https://go-review.googlesource.com/c/go/+/370574
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Alex Rakoczy <alex@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Dec 9, 2021
Pull in security fix
a5309b3 http2: cap the size of the server's canonical header cache
Updates #50058
Fixes CVE-2021-44716
Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Alex Rakoczy <alex@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
BlaineEXE
added a commit
to BlaineEXE/rook
that referenced
this issue
Dec 20, 2021
A Go net/http bug documented here golang/go#50058 could potentially affect users who enable Rook's webhook. Signed-off-by: Blaine Gardner <blaine.gardner@redhat.com>
BlaineEXE
added a commit
to BlaineEXE/rook
that referenced
this issue
Dec 20, 2021
A Go net/http bug documented here golang/go#50058 could potentially affect users who enable Rook's webhook. Signed-off-by: Blaine Gardner <blaine.gardner@redhat.com>
10 tasks
fedosgad
pushed a commit
to fedosgad/oohttp
that referenced
this issue
Jun 22, 2022
…anonical header cache The HTTP/2 server keeps a per-connection cache mapping header keys to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the maximum size of this cache to prevent a peer sending many unique header keys from causing unbounded memory growth. Cap chosen arbitrarily at 32 entries. Since this cache does not include common headers (e.g., "content-type"), 32 seems like more than enough for almost all normal uses. Updates golang/go#50058 Fixes CVE-2021-44716 Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827 Reviewed-by: Roland Shoemaker <bracewell@google.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.
For users who cannot immediately update to the new release, setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package.
This issue is also fixed in golang.org/x/net/http2 v0.0.0-20211209124913-491a49abca63, for users manually configuring HTTP/2.
Thank you to murakmii for reporting this issue.
This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.
The text was updated successfully, but these errors were encountered: