-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: fix CVE-2022-41717 [1.19 backport] #57009
Labels
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
Used during the release process for point releases
label
Nov 30, 2022
Change https://go.dev/cl/455363 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Dec 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. For #56350. For #57009. Fixes CVE-2022-41717. Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/455363 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Jenny Rakoczy <jenny@golang.org> Reviewed-by: Michael Pratt <mpratt@google.com>
Closed by merging 618120c to release-branch.go1.19. |
Change https://go.dev/cl/455736 mentions this issue: |
This was approved as a security fix and included in Go 1.19.4. |
dmitshur
added
Security
CherryPickApproved
Used during the release process for point releases
and removed
CherryPickCandidate
Used during the release process for point releases
labels
Dec 7, 2022
andrew-d
pushed a commit
to tailscale/go
that referenced
this issue
Dec 7, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. For golang#56350. For golang#57009. Fixes CVE-2022-41717. Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/455363 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Jenny Rakoczy <jenny@golang.org> Reviewed-by: Michael Pratt <mpratt@google.com>
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Dec 10, 2022
…y bytes, not entries The canonical header cache is a per-connection cache mapping header keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar"). We limit the number of entries in the cache to prevent an attacker from consuming unbounded amounts of memory by sending many unique keys, but a small number of very large keys can still consume an unreasonable amount of memory. Track the amount of memory consumed by the cache and limit it based on memory rather than number of entries. Thanks to Josselin Costanzi for reporting this issue. For golang/go#56350 For golang/go#57009 Fixes CVE-2022-41717 Change-Id: Ief3c141001524fd3776958ecc8556c724427f063 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662693 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/455736 Reviewed-by: Jenny Rakoczy <jenny@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
@neild requested issue #56350 to be considered for backport to the next 1.19 minor release.
The text was updated successfully, but these errors were encountered: