Skip to content

net/http: close connections when receiving too many headers (CVE-2023-45288) [1.22 backport] #66298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Mar 13, 2024 · 3 comments
Closed

net/http: close connections when receiving too many headers (CVE-2023-45288) [1.22 backport] #66298

gopherbot opened this issue Mar 13, 2024 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.22.2

Comments

@gopherbot
Copy link
Contributor

gopherbot commented Mar 13, 2024
edited by neild
Loading

@rolandshoemaker requested issue #65051 to be considered for backport to the next 1.22 minor release.

@gopherbot please open backport issues.

Edit: Corrected issue reference (#66297 -> #65051)
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Mar 13, 2024
@gopherbot gopherbot mentioned this issue Mar 13, 2024
Closed
@gopherbot gopherbot added this to the Go1.22.2 milestone Mar 13, 2024
@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Mar 27, 2024
@neild neild mentioned this issue Mar 27, 2024
Closed
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/576076 mentions this issue: [release-branch.go1.22] net/http: update bundled golang.org/x/net/http2

gopherbot pushed a commit that referenced this issue Apr 3, 2024
@neild @gopherbot
[release-branch.go1.22] net/http: update bundled golang.org/x/net/http2
e55d7cf 
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2023-45288
For #65051
Fixes #66298

Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197227
Reviewed-by: Tatiana Bradley <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/576076
Auto-Submit: Dmitri Shuralyov <[email protected]>
TryBot-Bypass: Dmitri Shuralyov <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
@gopherbot
Copy link
Contributor Author

Closed by merging e55d7cf to release-branch.go1.22.

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/576255 mentions this issue: [release-branch.go1.22] all: tidy dependency versioning after release

gopherbot pushed a commit that referenced this issue Apr 3, 2024
@dmitshur @gopherbot
[release-branch.go1.22] all: tidy dependency versioning after release
a65a2bb 
Done with:

go get golang.org/x/[email protected]
go mod tidy
go mod vendor
go generate net/http  # zero diff since CL 576076 already did this

For CVE-2023-45288.
For #65051.
For #66298.

Change-Id: I2a0d69145d711a73eda92ef5ad4010c7c435f621
Reviewed-on: https://go-review.googlesource.com/c/go/+/576255
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
TryBot-Bypass: Dmitri Shuralyov <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
@dmitshur dmitshur changed the title security: fix CVE-2023-45288 [1.22 backport] net/http: close connections when receiving too many headers (CVE-2023-45288) [1.22 backport] Apr 3, 2024
@imacks imacks mentioned this issue Apr 4, 2024
Open
@naemono naemono mentioned this issue Apr 5, 2024
Merged
@golang golang locked and limited conversation to collaborators Apr 3, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.22.2
Development

No branches or pull requests
3 participants
@dmitshur @gopherbot @thanm