Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: fix CVE-2022-41717 [1.19 backport] #57009

Closed
gopherbot opened this issue Nov 30, 2022 · 4 comments
Closed

security: fix CVE-2022-41717 [1.19 backport] #57009

gopherbot opened this issue Nov 30, 2022 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #56350 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues

@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Nov 30, 2022
@gopherbot gopherbot added this to the Go1.19.5 milestone Nov 30, 2022
@toothrot toothrot modified the milestones: Go1.19.5, Go1.19.4 Dec 6, 2022
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/455363 mentions this issue: [release-branch.go1.19] net/http: update bundled golang.org/x/net/http2

gopherbot pushed a commit that referenced this issue Dec 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

For #56350.
For #57009.
Fixes CVE-2022-41717.

Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/455363
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
@gopherbot
Copy link
Contributor Author

Closed by merging 618120c to release-branch.go1.19.

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/455736 mentions this issue: [internal-branch.go1.19-vendor] http2: limit canonical header cache by bytes, not entries

@dmitshur
Copy link
Contributor

dmitshur commented Dec 7, 2022

This was approved as a security fix and included in Go 1.19.4.

@dmitshur dmitshur added Security CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Dec 7, 2022
andrew-d pushed a commit to tailscale/go that referenced this issue Dec 7, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

For golang#56350.
For golang#57009.
Fixes CVE-2022-41717.

Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/455363
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
gopherbot pushed a commit to golang/net that referenced this issue Dec 10, 2022
…y bytes, not entries

The canonical header cache is a per-connection cache mapping header
keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar").
We limit the number of entries in the cache to prevent an attacker
from consuming unbounded amounts of memory by sending many unique
keys, but a small number of very large keys can still consume an
unreasonable amount of memory.

Track the amount of memory consumed by the cache and limit it based
on memory rather than number of entries.

Thanks to Josselin Costanzi for reporting this issue.

For golang/go#56350
For golang/go#57009
Fixes CVE-2022-41717

Change-Id: Ief3c141001524fd3776958ecc8556c724427f063
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662693
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/455736
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
@golang golang locked and limited conversation to collaborators Dec 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Development

No branches or pull requests

3 participants