net/http: limit growth of header canonicalization cache

[FiloSottile]

An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.

For users who cannot immediately update to the new release, setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package.

This issue is also fixed in golang.org/x/net/http2 v0.0.0-20211209124913-491a49abca63, for users manually configuring HTTP/2.

Thank you to murakmii for reporting this issue.

This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.

[gopherbot]

Change https://golang.org/cl/370574 mentions this issue: [release-branch.go1.17] net/http: update bundled golang.org/x/net/http2

[gopherbot]

Change https://golang.org/cl/370575 mentions this issue: [release-branch.go1.16] net/http: update bundled golang.org/x/net/http2

[FiloSottile]

https://golang.org/cl/369794 is the fix on x/net.

[FiloSottile]

Reopening for bundling into Go 1.18.

[gopherbot]

Change https://golang.org/cl/370579 mentions this issue: net/http: update bundled golang.org/x/net/http2

[FiloSottile]

@gopherbot please open backport issues, this is CVE-2021-44716.