Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: go #1210

Closed
dongsupark opened this issue Oct 12, 2023 · 1 comment
Closed

update: go #1210

dongsupark opened this issue Oct 12, 2023 · 1 comment
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns

Comments

@dongsupark
Copy link
Member

dongsupark commented Oct 12, 2023
edited
Loading

Name: go
CVEs: CVE-2023-39325
CVSSs: 7.5
Action Needed: update to >= 1.20.10

Summary: net/http: rapid stream resets can cause excessive work. A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487.

See also https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo.

refmap.gentoo: https://bugs.gentoo.org/915555
@dongsupark dongsupark added security security concerns advisory security advisory labels Oct 12, 2023
@dongsupark dongsupark moved this from 📝 Needs Triage to 🌱 Upcoming / Focus in Flatcar tactical, release planning, and roadmap Oct 12, 2023
@krnowak
Copy link
Member

krnowak commented Oct 13, 2023

Fix will be in next alpha release.

@krnowak krnowak closed this as completed Oct 13, 2023
@github-project-automation github-project-automation bot moved this from 🌱 Upcoming / Focus to Implemented in Flatcar tactical, release planning, and roadmap Oct 13, 2023
@github-actions github-actions bot mentioned this issue Nov 9, 2023
Closed
@dongsupark dongsupark added the cvss/HIGH > 7 && < 9 assessed CVSS label Dec 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krnowak @dongsupark