net/http: insufficient sanitization of Host header [1.20 backport] #61076
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
|
Change https://go.dev/cl/507357 mentions this issue: |
tatianab
added
release-blocker
CherryPickApproved
gopherbot
removed
the
CherryPickCandidate
|
Change https://go.dev/cl/507905 mentions this issue: |
|
Change https://go.dev/cl/507906 mentions this issue: |
|
Closed by merging 312920c to release-branch.go1.20. |
gopherbot
pushed a commit
that referenced
this issue
Jul 6, 2023
Verify that the Host header we send is valid. Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" adding an X-Evil header to HTTP/1 requests. Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to header injection in the way HTTP/1 is, but x/net/http2 doesn't validate the header and will go into a retry loop when the server rejects it. CL 506995 adds the necessary validation to x/net/http2. For #60374 Fixes #61076 For CVE-2023-29406 Change-Id: I05cb6866a9bead043101954dfded199258c6dd04 Reviewed-on: https://go-review.googlesource.com/c/go/+/506996 Reviewed-by: Tatiana Bradley <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Damien Neil <[email protected]> (cherry picked from commit 499458f) Reviewed-on: https://go-review.googlesource.com/c/go/+/507357 Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Tatiana Bradley <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]>
AlexanderYastrebov
added a commit
to zalando/skipper
that referenced
this issue
Jul 13, 2023
Redis testcontainer fails to start due to due to testcontainers/testcontainers-go#1359 caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6 Signed-off-by: Alexander Yastrebov <[email protected]>
AlexanderYastrebov
added a commit
to zalando/skipper
that referenced
this issue
Jul 13, 2023
Redis testcontainer fails to start due to due to testcontainers/testcontainers-go#1359 caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6 Signed-off-by: Alexander Yastrebov <[email protected]>
AlexanderYastrebov
added a commit
to zalando/skipper
that referenced
this issue
Jul 13, 2023
Redis testcontainer fails to start due to testcontainers/testcontainers-go#1359 caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6 Signed-off-by: Alexander Yastrebov <[email protected]>
AlexanderYastrebov
added a commit
to zalando/skipper
that referenced
this issue
Jul 14, 2023
Redis testcontainer fails to start due to testcontainers/testcontainers-go#1359 caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6 Signed-off-by: Alexander Yastrebov <[email protected]>
AlexanderYastrebov
added a commit
to zalando/skipper
that referenced
this issue
Jul 15, 2023
Redis testcontainer fails to start due to testcontainers/testcontainers-go#1359 caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6 Signed-off-by: Alexander Yastrebov <[email protected]>
caixw
added a commit
to issue9/assert
that referenced
this issue
Jul 21, 2023
golang/go#61076 添加了对 HOST 的验证, 原有的实现不再可行。
TomaszAIR
added a commit
to 3mdeb/meta-balena-engine
that referenced
this issue
Nov 2, 2023
Go used in kirkstone uses fix for CVE-2023-29406 which breaks docker/balena engine. see: - moby/moby#46614 - moby/moby#45935 - golang/go#61076 Signed-off-by: Tomasz Żyjewski <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
@neild requested issue #60374 to be considered for backport to the next 1.20 minor release.
The text was updated successfully, but these errors were encountered: