-
Notifications
You must be signed in to change notification settings - Fork 17.9k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
security: fix CVE-2023-39325 [1.20 backport] #63426
Labels
Milestone
Comments
Change https://go.dev/cl/534255 mentions this issue: |
Closed by merging e175f27 to release-branch.go1.20. |
gopherbot
pushed a commit
that referenced
this issue
Oct 10, 2023
Pull in a security fix from x/net/http2: http2: limit maximum handler goroutines to MaxConcurrentStreamso For #63417 Fixes #63426 Fixes CVE-2023-39325 Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Ian Cottrell <iancottrell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/534255 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
6 tasks
Change https://go.dev/cl/534236 mentions this issue: |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Oct 10, 2023
…es to MaxConcurrentStreams When the peer opens a new stream while we have MaxConcurrentStreams handler goroutines running, defer starting a handler until one of the existing handlers exits. For golang/go#63417. For golang/go#63426. For CVE-2023-39325. Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047553 Reviewed-by: Ian Cottrell <iancottrell@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/534236 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Change https://go.dev/cl/534297 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Oct 10, 2023
Done with: go get golang.org/x/net@internal-branch.go1.20-vendor go mod tidy go mod vendor go generate net/http # zero diff since CL 534255 already did this For #63417. For #63426. For CVE-2023-39325. Change-Id: Ib258e0d8165760a1082e02c2f4c5ce7d2a3c3c90 Reviewed-on: https://go-review.googlesource.com/c/go/+/534297 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
khrm
added a commit
to khrm/plumbing
that referenced
this issue
Oct 12, 2023
Needed for CVE fix: golang/go#63426 Triggers EventListener, Hub, and Results are affected.
rhmdnd
added a commit
to rhmdnd/compliance-operator
that referenced
this issue
Oct 17, 2023
Let's use an image that contains a patched version of net/http. golang/go#63426
rhmdnd
added a commit
to rhmdnd/file-integrity-operator
that referenced
this issue
Oct 17, 2023
Let's us a version of golang that contains a patched version of net/http. golang/go#63426
tekton-robot
pushed a commit
to tektoncd/plumbing
that referenced
this issue
Oct 19, 2023
Needed for CVE fix: golang/go#63426 Triggers EventListener, Hub, and Results are affected.
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Dec 7, 2023
# AWS EKS Backported To: go-1.19.13-eks Backported On: Thu, 12 Oct 2023 Backported By: rcrozean@amazon.com Backported From: release-branch.go1.20 Source Commit: golang@e175f27 # Original Information Pull in a security fix from x/net/http2: http2: limit maximum handler goroutines to MaxConcurrentStreamso For golang#63417 Fixes golang#63426 Fixes CVE-2023-39325 Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Ian Cottrell <iancottrell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/534255 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
# for free
to subscribe to this conversation on GitHub.
Already have an account?
#.
Labels
@neild requested issue #63417 to be considered for backport to the next 1.20 minor release.
The text was updated successfully, but these errors were encountered: