net/http: close connections when receiving too many headers (CVE-2023-45288) [1.21 backport] #65387

gopherbot · 2024-01-30T22:14:39Z

@neild requested issue #65051 to be considered for backport to the next 1.21 minor release.

@gopherbot please open backport issues for this security fix.

neild · 2024-02-20T23:58:52Z

Deferred pending coordinated disclosure, will reopen when we know what release this goes into.

gopherbot · 2024-04-03T14:53:28Z

Change https://go.dev/cl/576075 mentions this issue: [release-branch.go1.21] net/http: update bundled golang.org/x/net/http2

Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2023-45288 For #65051 Fixes #65387 Change-Id: I17da6da2fe0dd70062b49f94377875acb34829a1 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197267 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/576075 TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Commit-Queue: Dmitri Shuralyov <dmitshur@golang.org> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Than McIntosh <thanm@google.com>

dmitshur · 2024-04-03T15:24:15Z

Closed by merging commit ae59133 (CL 576075) to release-branch.go1.21.

gopherbot · 2024-04-03T17:27:43Z

Change https://go.dev/cl/576275 mentions this issue: [release-branch.go1.21] all: tidy dependency versioning after release

Done with: go get golang.org/x/net@internal-branch.go1.21-vendor go mod tidy go mod vendor go generate net/http # zero diff since CL 576075 already did this For CVE-2023-45288. For #65051. For #65387. Change-Id: I336670bdb3df2496c1e8d322c20794042fbc0d02 Reviewed-on: https://go-review.googlesource.com/c/go/+/576275 TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>

gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Jan 30, 2024

gopherbot mentioned this issue Jan 30, 2024

net/http, x/net/http2: close connections when receiving too many headers (CVE-2023-45288) #65051

Closed

neild added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jan 30, 2024

gopherbot modified the milestones: Go1.21.7, Go1.21.8 Jan 30, 2024

neild closed this as not planned Won't fix, can't repro, duplicate, stale Feb 20, 2024

rcrozean mentioned this issue Mar 5, 2024

security: fix CVE-2023-45288 aws/eks-distro-build-tooling#1362

Closed

gopherbot mentioned this issue Mar 13, 2024

security: fix CVE-2023-45288 #66297

Closed

rolandshoemaker reopened this Mar 13, 2024

thanm added the release-blocker label Mar 28, 2024

thanm modified the milestones: Go1.21.8, Go1.21.9 Mar 28, 2024

dmitshur closed this as completed Apr 3, 2024

dmitshur changed the title ~~security: fix CVE-2023-45288 [1.21 backport]~~ net/http: close connections when receiving too many headers (CVE-2023-45288) [1.21 backport] Apr 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

net/http: close connections when receiving too many headers (CVE-2023-45288) [1.21 backport] #65387

net/http: close connections when receiving too many headers (CVE-2023-45288) [1.21 backport] #65387

gopherbot commented Jan 30, 2024

neild commented Feb 20, 2024

gopherbot commented Apr 3, 2024

dmitshur commented Apr 3, 2024

gopherbot commented Apr 3, 2024

net/http: close connections when receiving too many headers (CVE-2023-45288) [1.21 backport] #65387

net/http: close connections when receiving too many headers (CVE-2023-45288) [1.21 backport] #65387

Comments

gopherbot commented Jan 30, 2024

neild commented Feb 20, 2024

gopherbot commented Apr 3, 2024

dmitshur commented Apr 3, 2024

gopherbot commented Apr 3, 2024