DockerCLI/vendor/golang.org/x
Sebastiaan van Stijn 02b482013c
vendor: golang.org/x/net v0.23.0
full diff: https://github.com/golang/net/compare/v0.22.0...v0.23.0

Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2
and go1.21.9;

> http2: close connections when receiving too many headers
>
> Maintaining HPACK state requires that we parse and process
> all HEADERS and CONTINUATION frames on a connection.
> When a request's headers exceed MaxHeaderBytes, we don't
> allocate memory to store the excess headers but we do
> parse them. This permits an attacker to cause an HTTP/2
> endpoint to read arbitrary amounts of data, all associated
> with a request which is going to be rejected.
>
> Set a limit on the amount of excess header frames we
> will process before closing a connection.
>
> Thanks to Bartek Nowotarski for reporting this issue.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5fcbbde4b9)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-22 17:01:43 +00:00
..
crypto vendor: golang.org/x/crypto v0.1.0 (fix OpenSSL > 9.3 compatibility) 2022-11-16 16:05:32 +01:00
mod vendor: golang.org/x/tools v0.16.0, golang.org/x/mod v0.14.0 2024-01-08 11:02:26 +01:00
net vendor: golang.org/x/net v0.23.0 2024-07-22 17:01:43 +00:00
sync vendor: golang.org/x/sync v0.6.0 2024-01-08 10:52:47 +01:00
sys vendor: golang.org/x/sys v0.18.0 2024-07-22 17:01:40 +00:00
term vendor: golang.org/x/crypto v0.16.0 2023-12-18 13:47:30 +01:00
text vendor: golang.org/x/text v0.14.0 2023-12-18 13:46:41 +01:00
time vendor: golang.org/x/time v0.3.0 2023-03-15 01:35:57 +01:00
tools vendor: golang.org/x/tools v0.16.0, golang.org/x/mod v0.14.0 2024-01-08 11:02:26 +01:00