Commits on Apr 9, 2024

1. update to go1.21.9 …

   go1.21.9 (released 2024-04-03) includes a security fix to the net/http
   package, as well as bug fixes to the linker, and the go/types and
   net/http packages. See the [Go 1.21.9 milestone](https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved)
   for more details.
   
   These minor releases include 1 security fixes following the security policy:
   
   - http2: close connections when receiving too many headers
   Maintaining HPACK state requires that we parse and process all HEADERS
   and CONTINUATION frames on a connection. When a request's headers exceed
   MaxHeaderBytes, we don't allocate memory to store the excess headers but
   we do parse them. This permits an attacker to cause an HTTP/2 endpoint
   to read arbitrary amounts of header data, all associated with a request
   which is going to be rejected. These headers can include Huffman-encoded
   data which is significantly more expensive for the receiver to decode
   than for an attacker to send.
   Set a limit on the amount of excess header frames we will process before
   closing a connection.
   Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue.
   This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.
   
   View the release notes for more information:
   https://go.dev/doc/devel/release#go1.21.9
   
   - https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
   - full diff: golang/go@go1.21.8...go1.21.9
   
   Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

   

   vvoland committed Apr 9, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for b8ac04f
   • Browse repository at this point

   Copy the full SHA

   b8ac04f View commit details

   Browse the repository at this point in the history