Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

security: fix CVE-2023-39325 [1.20 backport] #63426

Closed
gopherbot opened this issue Oct 6, 2023 · 4 comments · Fixed by tektoncd/plumbing#1635
Closed

security: fix CVE-2023-39325 [1.20 backport] #63426

gopherbot opened this issue Oct 6, 2023 · 4 comments · Fixed by tektoncd/plumbing#1635
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #63417 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues

@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Oct 6, 2023
@gopherbot gopherbot added this to the Go1.20.10 milestone Oct 6, 2023
@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Oct 6, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/534255 mentions this issue: [release-branch.go1.20] net/http: regenerate h2_bundle.go

@gopherbot
Copy link
Contributor Author

Closed by merging e175f27 to release-branch.go1.20.

gopherbot pushed a commit that referenced this issue Oct 10, 2023
Pull in a security fix from x/net/http2:
http2: limit maximum handler goroutines to MaxConcurrentStreamso

For #63417
Fixes #63426
Fixes CVE-2023-39325

Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/534236 mentions this issue: [internal-branch.go1.20-vendor] http2: limit maximum handler goroutines to MaxConcurrentStreams

gopherbot pushed a commit to golang/net that referenced this issue Oct 10, 2023
…es to MaxConcurrentStreams

When the peer opens a new stream while we have MaxConcurrentStreams
handler goroutines running, defer starting a handler until one
of the existing handlers exits.

For golang/go#63417.
For golang/go#63426.
For CVE-2023-39325.

Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047553
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/534236
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/534297 mentions this issue: [release-branch.go1.20] all: tidy dependency versioning after release

gopherbot pushed a commit that referenced this issue Oct 10, 2023
Done with:

go get golang.org/x/net@internal-branch.go1.20-vendor
go mod tidy
go mod vendor
go generate net/http  # zero diff since CL 534255 already did this

For #63417.
For #63426.
For CVE-2023-39325.

Change-Id: Ib258e0d8165760a1082e02c2f4c5ce7d2a3c3c90
Reviewed-on: https://go-review.googlesource.com/c/go/+/534297
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
khrm added a commit to khrm/plumbing that referenced this issue Oct 12, 2023
Needed for CVE fix: golang/go#63426

Triggers EventListener, Hub, and Results are affected.
rhmdnd added a commit to rhmdnd/compliance-operator that referenced this issue Oct 17, 2023
Let's use an image that contains a patched version of net/http.

golang/go#63426
rhmdnd added a commit to rhmdnd/file-integrity-operator that referenced this issue Oct 17, 2023
Let's us a version of golang that contains a patched version of
net/http.

golang/go#63426
tekton-robot pushed a commit to tektoncd/plumbing that referenced this issue Oct 19, 2023
Needed for CVE fix: golang/go#63426

Triggers EventListener, Hub, and Results are affected.
rcrozean pushed a commit to rcrozean/go that referenced this issue Dec 7, 2023
# AWS EKS

Backported To: go-1.19.13-eks
Backported On: Thu, 12 Oct 2023
Backported By: rcrozean@amazon.com
Backported From: release-branch.go1.20
Source Commit: golang@e175f27

# Original Information

Pull in a security fix from x/net/http2:
http2: limit maximum handler goroutines to MaxConcurrentStreamso

For golang#63417
Fixes golang#63426
Fixes CVE-2023-39325

Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
@golang golang locked and limited conversation to collaborators Oct 9, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants