mirror of https://github.com/docker/cli.git
02b482013c
full diff: https://github.com/golang/net/compare/v0.22.0...v0.23.0
Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2
and go1.21.9;
> http2: close connections when receiving too many headers
>
> Maintaining HPACK state requires that we parse and process
> all HEADERS and CONTINUATION frames on a connection.
> When a request's headers exceed MaxHeaderBytes, we don't
> allocate memory to store the excess headers but we do
> parse them. This permits an attacker to cause an HTTP/2
> endpoint to read arbitrary amounts of data, all associated
> with a request which is going to be rejected.
>
> Set a limit on the amount of excess header frames we
> will process before closing a connection.
>
> Thanks to Bartek Nowotarski for reporting this issue.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| hpack | ||
| .gitignore | ||
| ascii.go | ||
| ciphers.go | ||
| client_conn_pool.go | ||
| databuffer.go | ||
| errors.go | ||
| flow.go | ||
| frame.go | ||
| gotrack.go | ||
| headermap.go | ||
| http2.go | ||
| pipe.go | ||
| server.go | ||
| testsync.go | ||
| transport.go | ||
| write.go | ||
| writesched.go | ||
| writesched_priority.go | ||
| writesched_random.go | ||
| writesched_roundrobin.go | ||