New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: close connections when receiving too many headers (CVE-2023-45288) [1.22 backport] #66298
Labels
Milestone
Comments
gopherbot
added
CherryPickCandidate
Used during the release process for point releases
Security
labels
Mar 13, 2024
dmitshur
added
CherryPickApproved
Used during the release process for point releases
and removed
CherryPickCandidate
Used during the release process for point releases
labels
Mar 27, 2024
Change https://go.dev/cl/576076 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Apr 3, 2024
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2023-45288 For #65051 Fixes #66298 Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197227 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/576076 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Than McIntosh <thanm@google.com>
Closed by merging e55d7cf to release-branch.go1.22. |
Change https://go.dev/cl/576255 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Apr 3, 2024
Done with: go get golang.org/x/net@internal-branch.go1.22-vendor go mod tidy go mod vendor go generate net/http # zero diff since CL 576076 already did this For CVE-2023-45288. For #65051. For #66298. Change-Id: I2a0d69145d711a73eda92ef5ad4010c7c435f621 Reviewed-on: https://go-review.googlesource.com/c/go/+/576255 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Than McIntosh <thanm@google.com>
dmitshur
changed the title
security: fix CVE-2023-45288 [1.22 backport]
net/http: close connections when receiving too many headers (CVE-2023-45288) [1.22 backport]
Apr 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
@rolandshoemaker requested issue #65051 to be considered for backport to the next 1.22 minor release.
Edit: Corrected issue reference (#66297 -> #65051)
The text was updated successfully, but these errors were encountered: