DockerCLI/vendor
Sebastiaan van Stijn 02b482013c
vendor: golang.org/x/net v0.23.0
full diff: https://github.com/golang/net/compare/v0.22.0...v0.23.0

Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2
and go1.21.9;

> http2: close connections when receiving too many headers
>
> Maintaining HPACK state requires that we parse and process
> all HEADERS and CONTINUATION frames on a connection.
> When a request's headers exceed MaxHeaderBytes, we don't
> allocate memory to store the excess headers but we do
> parse them. This permits an attacker to cause an HTTP/2
> endpoint to read arbitrary amounts of data, all associated
> with a request which is going to be rejected.
>
> Set a limit on the amount of excess header frames we
> will process before closing a connection.
>
> Thanks to Bartek Nowotarski for reporting this issue.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5fcbbde4b9)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-22 17:01:43 +00:00
..
dario.cat/mergo rename and update mergo module 2023-06-26 22:25:52 +02:00
github.com vendor: golang.org/x/net v0.22.0, golang.org/x/crypto v0.21.0 2024-07-22 17:01:43 +00:00
go.etcd.io/etcd/raft/v3 vendor: github.com/docker/swarmkit 616e8db4c3b0 2022-03-16 15:39:52 +01:00
go.opentelemetry.io vendor: golang.org/x/net v0.22.0, golang.org/x/crypto v0.21.0 2024-07-22 17:01:43 +00:00
golang.org/x vendor: golang.org/x/net v0.23.0 2024-07-22 17:01:43 +00:00
google.golang.org vendor: google.golang.org/grpc v1.58.3 2023-11-01 16:07:00 +01:00
gopkg.in/yaml.v2 vendor dependencies with go1.17 2022-03-26 19:48:14 +01:00
gotest.tools/v3 vendor: gotest.tools/v3 v3.5.1 2023-10-20 17:39:10 +02:00
tags.cncf.io/container-device-interface Update container-device-interface to v0.6.2 2023-11-04 01:18:41 +01:00
modules.txt vendor: golang.org/x/net v0.23.0 2024-07-22 17:01:43 +00:00