Skip to content

net/http: close connections when receiving too many headers (CVE-2023-45288) [1.21 backport] #65387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Jan 30, 2024 · 4 comments
Closed

net/http: close connections when receiving too many headers (CVE-2023-45288) [1.21 backport] #65387

gopherbot opened this issue Jan 30, 2024 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.21.9

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #65051 to be considered for backport to the next 1.21 minor release.

@gopherbot please open backport issues for this security fix.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Jan 30, 2024
@gopherbot gopherbot mentioned this issue Jan 30, 2024
Closed
@neild neild added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jan 30, 2024
@gopherbot gopherbot modified the milestones: Go1.21.7, Go1.21.8 Jan 30, 2024
@neild
Copy link
Contributor

neild commented Feb 20, 2024

Deferred pending coordinated disclosure, will reopen when we know what release this goes into.

@neild neild closed this as not planned Won't fix, can't repro, duplicate, stale Feb 20, 2024
@rcrozean rcrozean mentioned this issue Mar 5, 2024
Closed
@gopherbot gopherbot mentioned this issue Mar 13, 2024
Closed
@thanm thanm modified the milestones: Go1.21.8, Go1.21.9 Mar 28, 2024
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/576075 mentions this issue: [release-branch.go1.21] net/http: update bundled golang.org/x/net/http2

gopherbot pushed a commit that referenced this issue Apr 3, 2024
@neild @gopherbot
[release-branch.go1.21] net/http: update bundled golang.org/x/net/http2
ae59133 
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2023-45288
For #65051
Fixes #65387

Change-Id: I17da6da2fe0dd70062b49f94377875acb34829a1
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197267
Reviewed-by: Dmitri Shuralyov <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/576075
TryBot-Bypass: Dmitri Shuralyov <[email protected]>
Commit-Queue: Dmitri Shuralyov <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
@dmitshur
Copy link
Member

dmitshur commented Apr 3, 2024

Closed by merging commit ae59133 (CL 576075) to release-branch.go1.21.

@dmitshur dmitshur closed this as completed Apr 3, 2024
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/576275 mentions this issue: [release-branch.go1.21] all: tidy dependency versioning after release

gopherbot pushed a commit that referenced this issue Apr 3, 2024
@dmitshur @gopherbot
[release-branch.go1.21] all: tidy dependency versioning after release
7450117 
Done with:

go get golang.org/x/[email protected]
go mod tidy
go mod vendor
go generate net/http  # zero diff since CL 576075 already did this

For CVE-2023-45288.
For #65051.
For #65387.

Change-Id: I336670bdb3df2496c1e8d322c20794042fbc0d02
Reviewed-on: https://go-review.googlesource.com/c/go/+/576275
TryBot-Bypass: Dmitri Shuralyov <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
@dmitshur dmitshur changed the title security: fix CVE-2023-45288 [1.21 backport] net/http: close connections when receiving too many headers (CVE-2023-45288) [1.21 backport] Apr 3, 2024
@gabyhelp gabyhelp mentioned this issue Jun 26, 2024
Closed
@golang golang locked and limited conversation to collaborators Apr 3, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.21.9
Development

No branches or pull requests
5 participants
@neild @dmitshur @rolandshoemaker @gopherbot @thanm