Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2022-41723 [1.20 backport] #58356

Closed
gopherbot opened this issue Feb 6, 2023 · 4 comments
Closed

security: fix CVE-2022-41723 [1.20 backport] #58356

gopherbot opened this issue Feb 6, 2023 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.20.1

Comments

@gopherbot
Copy link

@rolandshoemaker requested issue #57855 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Feb 6, 2023
@gopherbot gopherbot mentioned this issue Feb 6, 2023
Closed
@gopherbot gopherbot added this to the Go1.20.1 milestone Feb 6, 2023
@heschi heschi added the CherryPickApproved Used during the release process for point releases label Feb 8, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Feb 8, 2023
@gopherbot
Copy link
Author

Change https://go.dev/cl/468122 mentions this issue: [release-branch.go1.20] net/http: update bundled golang.org/x/net/http2

gopherbot pushed a commit that referenced this issue Feb 14, 2023
@rolandshoemaker @gopherbot
[release-branch.go1.20] net/http: update bundled golang.org/x/net/http2
8e02cff 
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-41723
Fixes #58356
Updates #57855

Change-Id: I603886b5b76c16303dab1420d4ec8b7c7cdcf330
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728940
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/468122
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
@gopherbot
Copy link
Author

Closed by merging 8e02cff to release-branch.go1.20.

@gopherbot
Copy link
Author

Change https://go.dev/cl/468336 mentions this issue: [internal-branch.go1.20-vendor] http2/hpack: avoid quadratic complexity in hpack decoding

gopherbot pushed a commit to golang/net that referenced this issue Feb 14, 2023
@neild @prattmic
[internal-branch.go1.20-vendor] http2/hpack: avoid quadratic complexi…
88ed8ca 
…ty in hpack decoding

When parsing a field literal containing two Huffman-encoded strings,
don't decode the first string until verifying all data is present.
Avoids forced quadratic complexity when repeatedly parsing a partial
field, repeating the Huffman decoding of the string on each iteration.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

Fixes golang/go#57855
Fixes CVE-2022-41723
For golang/go#58356

Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/468135
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 8e2b117)
Reviewed-on: https://go-review.googlesource.com/c/net/+/468336
@gopherbot
Copy link
Author

Change https://go.dev/cl/468302 mentions this issue: [release-branch.go1.20] all: update vendored golang.org/x/net

gopherbot pushed a commit that referenced this issue Feb 14, 2023
@prattmic @gopherbot
[release-branch.go1.20] all: update vendored golang.org/x/net
828b05c 
Update golang.org/x/net to the tip of internal-branch.go1.20-vendor to
include CL 468336.

The contents of that CL were already merged into this branch in CL
468122, so this CL just brings go.mod back in line to matching the
actual vendored content.

For #58356
For #57855

Change-Id: I6ee9483077630c11c725927f38f6b69a784106db
Reviewed-on: https://go-review.googlesource.com/c/go/+/468302
Run-TryBot: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
romaindoumenc pushed a commit to TroutSoftware/go that referenced this issue Mar 3, 2023
@rolandshoemaker @romaindoumenc
[release-branch.go1.20] net/http: update bundled golang.org/x/net/http2
3e5c533 
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-41723
Fixes golang#58356
Updates golang#57855

Change-Id: I603886b5b76c16303dab1420d4ec8b7c7cdcf330
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728940
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/468122
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
romaindoumenc pushed a commit to TroutSoftware/go that referenced this issue Mar 3, 2023
@prattmic @romaindoumenc
[release-branch.go1.20] all: update vendored golang.org/x/net
1aa28c0 
Update golang.org/x/net to the tip of internal-branch.go1.20-vendor to
include CL 468336.

The contents of that CL were already merged into this branch in CL
468122, so this CL just brings go.mod back in line to matching the
actual vendored content.

For golang#58356
For golang#57855

Change-Id: I6ee9483077630c11c725927f38f6b69a784106db
Reviewed-on: https://go-review.googlesource.com/c/go/+/468302
Run-TryBot: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
@seankhliao seankhliao mentioned this issue Jul 20, 2023
Closed
@golang golang locked and limited conversation to collaborators Feb 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.20.1
Development

No branches or pull requests
3 participants
@dmitshur @gopherbot @heschi