Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2022-41723 [1.19 backport] #58355

Closed
gopherbot opened this issue Feb 6, 2023 · 4 comments
Closed

security: fix CVE-2022-41723 [1.19 backport] #58355

gopherbot opened this issue Feb 6, 2023 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.19.6

Comments

@gopherbot
Copy link

@rolandshoemaker requested issue #57855 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Feb 6, 2023
@gopherbot gopherbot mentioned this issue Feb 6, 2023
Closed
@gopherbot gopherbot added this to the Go1.19.6 milestone Feb 6, 2023
@heschi heschi added the CherryPickApproved Used during the release process for point releases label Feb 8, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Feb 8, 2023
@gopherbot
Copy link
Author

Change https://go.dev/cl/468118 mentions this issue: [release-branch.go1.19] net/http: update bundled golang.org/x/net/http2

gopherbot pushed a commit that referenced this issue Feb 14, 2023
@rolandshoemaker @gopherbot
[release-branch.go1.19] net/http: update bundled golang.org/x/net/http2
5c3e11b 
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-41723
Fixes #58355
Updates #57855

Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728939
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/468118
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
@gopherbot
Copy link
Author

Closed by merging 5c3e11b to release-branch.go1.19.

@gopherbot
Copy link
Author

Change https://go.dev/cl/468335 mentions this issue: [internal-branch.go1.19-vendor] http2/hpack: avoid quadratic complexity in hpack decoding

gopherbot pushed a commit to golang/net that referenced this issue Feb 14, 2023
@neild @prattmic
[internal-branch.go1.19-vendor] http2/hpack: avoid quadratic complexi…
d99f623 
…ty in hpack decoding

When parsing a field literal containing two Huffman-encoded strings,
don't decode the first string until verifying all data is present.
Avoids forced quadratic complexity when repeatedly parsing a partial
field, repeating the Huffman decoding of the string on each iteration.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

Fixes golang/go#57855
Fixes CVE-2022-41723
For golang/go#58355

Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/468135
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 8e2b117)
Reviewed-on: https://go-review.googlesource.com/c/net/+/468335
@gopherbot
Copy link
Author

Change https://go.dev/cl/468303 mentions this issue: [release-branch.go1.19] all: update vendored golang.org/x/net

gopherbot pushed a commit that referenced this issue Feb 14, 2023
@prattmic @gopherbot
[release-branch.go1.19] all: update vendored golang.org/x/net
97fe3a2 
Update golang.org/x/net to the tip of internal-branch.go1.19-vendor to
include CL 468335.

The contents of that CL were already merged into this branch in CL
468118, so this CL just brings go.mod back in line to matching the
actual vendored content.

For #58355
For #57855

Change-Id: Ie952744a5b2249f0c05afb7f86bebf872734b09a
Reviewed-on: https://go-review.googlesource.com/c/go/+/468303
Run-TryBot: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
@cwen0 cwen0 mentioned this issue Mar 23, 2023
Merged
11 tasks
@ti-chi-bot ti-chi-bot mentioned this issue Mar 23, 2023
Merged
11 tasks
@golang golang locked and limited conversation to collaborators Feb 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.19.6
Development

No branches or pull requests
3 participants
@dmitshur @gopherbot @heschi