Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2022-41717 [1.18 backport] #57008

Closed
gopherbot opened this issue Nov 30, 2022 · 4 comments
Closed

security: fix CVE-2022-41717 [1.18 backport] #57008

gopherbot opened this issue Nov 30, 2022 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.18.9

Comments

@gopherbot
Copy link

@neild requested issue #56350 to be considered for backport to the next 1.18 minor release.

@gopherbot please open backport issues
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Nov 30, 2022
@gopherbot gopherbot mentioned this issue Nov 30, 2022
Closed
@gopherbot gopherbot added this to the Go1.18.10 milestone Nov 30, 2022
@toothrot toothrot modified the milestones: Go1.18.10, Go1.18.9 Dec 6, 2022
@gopherbot
Copy link
Author

Change https://go.dev/cl/455361 mentions this issue: [release-branch.go1.18] net/http: update bundled golang.org/x/net/http2

gopherbot pushed a commit that referenced this issue Dec 6, 2022
@neild @toothrot
[release-branch.go1.18] net/http: update bundled golang.org/x/net/http2
76cad4e 
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

For #56350
For #57008
Fixes CVE-2022-41717

Change-Id: I31ebd2b9ae190ef6f7646187103ea1c8a713ff2e
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663833
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/455361
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@gopherbot
Copy link
Author

Closed by merging 76cad4e to release-branch.go1.18.

@gopherbot
Copy link
Author

Change https://go.dev/cl/455735 mentions this issue: [internal-branch.go1.18-vendor] http2: limit canonical header cache by bytes, not entries

@dmitshur dmitshur added Security CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Dec 7, 2022
@dmitshur
Copy link
Contributor

dmitshur commented Dec 7, 2022

This was approved as a security fix and included in Go 1.18.9.

gopherbot pushed a commit to golang/net that referenced this issue Dec 9, 2022
@neild @heschi
[internal-branch.go1.18-vendor] http2: limit canonical header cache b…
4205dd4 
…y bytes, not entries

The canonical header cache is a per-connection cache mapping header
keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar").
We limit the number of entries in the cache to prevent an attacker
from consuming unbounded amounts of memory by sending many unique
keys, but a small number of very large keys can still consume an
unreasonable amount of memory.

Track the amount of memory consumed by the cache and limit it based
on memory rather than number of entries.

Thanks to Josselin Costanzi for reporting this issue.

For golang/go#56350
For golang/go#57008
Fixes CVE-2022-41717

Change-Id: Ief3c141001524fd3776958ecc8556c724427f063
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662692
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/455735
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
@golang golang locked and limited conversation to collaborators Dec 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.18.9
Development

No branches or pull requests
3 participants
@toothrot @dmitshur @gopherbot