net/http: handle server errors after sending GOAWAY [1.19 backport] #54376
Assignees
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
neild
added
Security
release-blocker
CherryPickCandidate
joedian
added
the
CherryPickApproved
gopherbot
removed
the
CherryPickCandidate
|
Change https://go.dev/cl/428655 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Sep 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes #54376 For #54658 Change-Id: I747900a66d7276e7d0bd246cd8cd0da95305c3ca Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554417 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428655 Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
|
Closed by merging 9cfe4e2 to release-branch.go1.19. |
mknyszek
changed the title
|
Change https://go.dev/cl/428737 mentions this issue: |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Sep 7, 2022
…ding GOAWAY The HTTP/2 server uses serverConn.goAwayCode to track whether a connection has encountered a fatal error. If an error is encountered after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the error status of the connection. Fixes an issue where a server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. Fixes CVE-2022-27664 For golang/go#54658 For golang/go#54376 Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/net/+/428735 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/net/+/428737 Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
|
Change https://go.dev/cl/429317 mentions this issue: |
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Sep 8, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#54376 For golang#54658 Change-Id: I747900a66d7276e7d0bd246cd8cd0da95305c3ca Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554417 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428655 Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Sep 9, 2022
…907013720-d52c520e3766 Restore vendoring after go1.19.1 security release. For #54376 Change-Id: Ie1512aa2bf77e5f448893c89e4841cb14896da9b Reviewed-on: https://go-review.googlesource.com/c/go/+/429317 Reviewed-by: Carlos Amedee <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Oct 5, 2022
…907013720-d52c520e3766 Restore vendoring after go1.19.1 security release. For golang#54376 Change-Id: Ie1512aa2bf77e5f448893c89e4841cb14896da9b Reviewed-on: https://go-review.googlesource.com/c/go/+/429317 Reviewed-by: Carlos Amedee <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Oct 5, 2022
…907013720-d52c520e3766 Restore vendoring after go1.19.1 security release. For golang#54376 Change-Id: Ie1512aa2bf77e5f448893c89e4841cb14896da9b Reviewed-on: https://go-review.googlesource.com/c/go/+/429317 Reviewed-by: Carlos Amedee <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Oct 5, 2022
…907013720-d52c520e3766 Restore vendoring after go1.19.1 security release. For golang#54376 Change-Id: Ie1512aa2bf77e5f448893c89e4841cb14896da9b Reviewed-on: https://go-review.googlesource.com/c/go/+/429317 Reviewed-by: Carlos Amedee <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this.
This was a PRIVATE issue for CVE-2022-27664 tracked in http://b/219507101 and fixed by http://tg/1413887.
The text was updated successfully, but these errors were encountered: