Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go: 1.22.4 -> 1.22.5 #324123

Merged
merged 1 commit into from
Jul 2, 2024
Merged

go: 1.22.4 -> 1.22.5 #324123

merged 1 commit into from
Jul 2, 2024

Conversation

katexochen
Copy link
Contributor

@katexochen katexochen commented Jul 2, 2024
edited
Loading

Description of changes

Release notes: https://go.dev/doc/devel/release#go1.22.0

Fixes

net/http: denial of service due to improper 100-continue handling

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Thanks to Geoff Franks for reporting this issue.

This is CVE-2024-24791 and Go issue https://go.dev/issue/67555.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@katexochen
go: 1.22.4 -> 1.22.5
5f95efa 
Signed-off-by: Paul Meyer <[email protected]>
@katexochen katexochen added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jul 2, 2024
@K900 K900 merged commit c4b2c09 into NixOS:staging-next Jul 2, 2024
17 of 18 checks passed
@katexochen katexochen deleted the go/1-22-5 branch July 2, 2024 20:05
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 2, 2024

Successfully created backport PR for staging-24.05:

@github-actions github-actions bot mentioned this pull request Jul 2, 2024
Merged
1 task
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 2, 2024

Git push to origin failed for staging-24.05 with exitcode 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kalbasit kalbasit Awaiting requested review from kalbasit

@Mic92 Mic92 Awaiting requested review from Mic92

@zowoq zowoq Awaiting requested review from zowoq

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: golang
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@katexochen @K900