Commit Graph

24 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 5fcbbde4b9
vendor: golang.org/x/net v0.23.0
full diff: https://github.com/golang/net/compare/v0.22.0...v0.23.0

Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2
and go1.21.9;

> http2: close connections when receiving too many headers
>
> Maintaining HPACK state requires that we parse and process
> all HEADERS and CONTINUATION frames on a connection.
> When a request's headers exceed MaxHeaderBytes, we don't
> allocate memory to store the excess headers but we do
> parse them. This permits an attacker to cause an HTTP/2
> endpoint to read arbitrary amounts of data, all associated
> with a request which is going to be rejected.
>
> Set a limit on the amount of excess header frames we
> will process before closing a connection.
>
> Thanks to Bartek Nowotarski for reporting this issue.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-04-09 14:52:51 +02:00
Sebastiaan van Stijn 4745b957d2
vendor: golang.org/x/net v0.22.0, golang.org/x/crypto v0.21.0
full diffs changes relevant to vendored code:

- https://github.com/golang/net/compare/v0.19.0...v0.22.0
    - http2: remove suspicious uint32->v conversion in frame code
    - http2: send an error of FLOW_CONTROL_ERROR when exceed the maximum octets
- https://github.com/golang/crypto/compare/v0.17.0...v0.21.0
    - (no changes in vendored code)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-04-09 14:50:53 +02:00
Sebastiaan van Stijn efae960e5a
vendor: golang.org/x/net v0.19.0
drops various code to support go1.17 and older

full diff: https://golang.org/x/net/compare/v0.17.0...v0.19.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-08 10:55:39 +01:00
Sebastiaan van Stijn a27466fb6f
vendor: golang.org/x/net v0.17.0
full diff: https://github.com/golang/net/compare/v0.10.0...v0.17.0

This fixes the same CVE as go1.21.3 and go1.20.10;

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 20:56:02 +02:00
Sebastiaan van Stijn e15ae9e2ee
vendor: golang.org/x/net v0.10.0
full diff: https://github.com/golang/net/compare/v0.8.0...v0.10.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:19:45 +02:00
Sebastiaan van Stijn d213548bd0
vendor: golang.org/x/net v0.7.0
full diff: https://github.com/golang/net/compare/v0.5.0...v0.7.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-15 01:42:00 +01:00
Sebastiaan van Stijn 526e5e7c95
vendor: golang.org/x/net v0.5.0
full diff: https://github.com/golang/net/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-23 11:59:15 +01:00
Sebastiaan van Stijn 929f23fcf9
vendor: golang.org/x/net v0.4.0
full diff: https://github.com/golang/net/compare/v0.1.0...v0.4.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-22 23:00:49 +01:00
Sebastiaan van Stijn 880b7fc671
vendor: golang.org/x/net v0.1.0
The golang.org/x/ projects are now doing tagged releases.

full diff: https://github.com/golang/net/compare/f3363e06e74c...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-16 16:02:41 +01:00
Sebastiaan van Stijn fc7e831a6a
vendor: golang.org/x/net v0.0.0-20220906165146-f3363e06e74c
Update to the latest version that contains a fix for CVE-2022-27664;
f3363e06e7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 23:14:47 +02:00
Sebastiaan van Stijn 1bb2591444
vendor: golang.org/x/net v0.0.0-20211216030914-fe4d6282115f
intermediate bump for easier review

full diff: e18ecbb051...fe4d628211

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-16 15:21:39 +01:00
Sebastiaan van Stijn dea9976143
vendor: golang.org/x/net e18ecbb051101a46fc263334b127c89bc7bff7ea
full diff: ab34263943...e18ecbb051

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-21 14:29:30 +02:00
Sebastiaan van Stijn e70e756053
vendor golang.org/x/net v0.0.0-20200707034311-ab3426394381
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:07:52 +02:00
Sebastiaan van Stijn 3aab460ee1
vendor: golang.org/x/net 0de0cce0169b09b364e001f108dc0399ea8630b3
full diff: f3200d17e0...0de0cce016

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-22 17:18:55 +02:00
Tonis Tiigi 668a9ff8ef vendor: update net and sys
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-06-02 00:39:23 -07:00
Sebastiaan van Stijn b6cee4567c
bump golang.org/x/net eb5bcb51f2a31c7d5141d810b70815c05d9c9146
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-13 03:09:33 +02:00
Vincent Demeester 8788a4804f
Bump some dependencies to more recent versions (and tagged if available)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-07-25 14:16:41 +02:00
Vincent Demeester b1065767cd
Bump moby version (and its dependencies)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-06-08 11:26:10 +02:00
Mathieu Champlon 5d54584f03 Bump moby to d37f5c6bdf788a6cb82c07fb707e31a240eff5f9
Also bringing:
. golang.org/x/net 5561cd9b4330353950f399814f427425c0a26fd2
. github.com/docker/distribution 83389a148052d74ac602f5f1d62f86ff2f3c4aa5
. github.com/docker/swarmkit bd69f6e8e301645afd344913fa1ede53a0a111fb
. github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18
. github.com/prometheus/client_golang 52437c81da6b127a9925d17eb3a382a2e5fd395e
. github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
. github.com/prometheus/client_model fa8ad6fec33561be4280a8f0514318c79d7f6cb6
. github.com/prometheus/common ebdfc6da46522d58825777cf1f90490a5b1ef1d8
. github.com/prometheus/procfs abf152e5f3e97f2fafac028d2cc06c1feb87ffa5
. github.com/matttproud/golang_protobuf_extensions v1.0.0

Signed-off-by: Mathieu Champlon <mathieu.champlon@docker.com>
2018-05-18 11:44:14 +02:00
Vincent Demeester 12c0825a4c Update golang.org/x/net to not panic
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-12-28 14:40:09 +01:00
Vincent Demeester 61713c42a4 Update vendoring
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-12-26 11:45:56 +01:00
Vincent Demeester 8417e49792 Add support for kubernetes in docker cli
- Add support for kubernetes for docker stack command
- Update to go 1.9
- Add kubernetes to vendors
- Print orchestrator in docker version command

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Signed-off-by: Silvin Lubecki <silvin.lubecki@docker.com>
2017-12-26 11:22:32 +01:00
Sebastiaan van Stijn 679ae70241
bump golang.org/x/net to 7dcfb8076726a3fdd9353b6b8a1f1b6be6811bd6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-07-03 17:40:41 -07:00
Daniel Nephin 6686ada6a4 Add vendor
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-04-17 18:12:58 -04:00