DockerCLI

History

Sebastiaan van Stijn 5fcbbde4b9 vendor: golang.org/x/net v0.23.0 full diff: https://github.com/golang/net/compare/v0.22.0...v0.23.0 Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2 and go1.21.9; > http2: close connections when receiving too many headers > > Maintaining HPACK state requires that we parse and process > all HEADERS and CONTINUATION frames on a connection. > When a request's headers exceed MaxHeaderBytes, we don't > allocate memory to store the excess headers but we do > parse them. This permits an attacker to cause an HTTP/2 > endpoint to read arbitrary amounts of data, all associated > with a request which is going to be rejected. > > Set a limit on the amount of excess header frames we > will process before closing a connection. > > Thanks to Bartek Nowotarski for reporting this issue. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2024-04-09 14:52:51 +02:00
..
x	vendor: golang.org/x/net v0.23.0	2024-04-09 14:52:51 +02:00

Sebastiaan van Stijn 5fcbbde4b9

full diff: https://github.com/golang/net/compare/v0.22.0...v0.23.0

Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2
and go1.21.9;

> http2: close connections when receiving too many headers
>
> Maintaining HPACK state requires that we parse and process
> all HEADERS and CONTINUATION frames on a connection.
> When a request's headers exceed MaxHeaderBytes, we don't
> allocate memory to store the excess headers but we do
> parse them. This permits an attacker to cause an HTTP/2
> endpoint to read arbitrary amounts of data, all associated
> with a request which is going to be rejected.
>
> Set a limit on the amount of excess header frames we
> will process before closing a connection.
>
> Thanks to Bartek Nowotarski for reporting this issue.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

2024-04-09 14:52:51 +02:00

vendor: golang.org/x/net v0.23.0

2024-04-09 14:52:51 +02:00