-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: limit canonical header cache by bytes, not entries (CVE-2022-41717) #56350
net/http: limit canonical header cache by bytes, not entries (CVE-2022-41717) #56350
Comments
@gopherbot please open backport issues |
Backport issue(s) opened: #57008 (for 1.18), #57009 (for 1.19). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/455361 mentions this issue: |
Change https://go.dev/cl/455363 mentions this issue: |
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. For #56350 For #57008 Fixes CVE-2022-41717 Change-Id: I31ebd2b9ae190ef6f7646187103ea1c8a713ff2e Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663833 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/455361 Run-TryBot: Jenny Rakoczy <[email protected]> Reviewed-by: Michael Pratt <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. For #56350. For #57009. Fixes CVE-2022-41717. Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/455363 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Jenny Rakoczy <[email protected]> Reviewed-by: Michael Pratt <[email protected]>
Change https://go.dev/cl/455635 mentions this issue: |
@damz correct, we always release Go first for private track issues. |
The canonical header cache is a per-connection cache mapping header keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar"). We limit the number of entries in the cache to prevent an attacker from consuming unbounded amounts of memory by sending many unique keys, but a small number of very large keys can still consume an unreasonable amount of memory. Track the amount of memory consumed by the cache and limit it based on memory rather than number of entries. Thanks to Josselin Costanzi for reporting this issue. For golang/go#56350 Change-Id: I41db4c9823ed5bf371a9881accddff1268489b16 Reviewed-on: https://go-review.googlesource.com/c/net/+/455635 Reviewed-by: Jenny Rakoczy <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
I see golang/net@1e63c2f was merged; will there be a tagged release with it? |
@thaJeztah Tagging will happen automatically after the post-submit build completes. |
Change https://go.dev/cl/455717 mentions this issue: |
Change https://go.dev/cl/455735 mentions this issue: |
Change https://go.dev/cl/455736 mentions this issue: |
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. For golang#56350. For golang#57009. Fixes CVE-2022-41717. Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/455363 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Jenny Rakoczy <[email protected]> Reviewed-by: Michael Pratt <[email protected]>
…y bytes, not entries The canonical header cache is a per-connection cache mapping header keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar"). We limit the number of entries in the cache to prevent an attacker from consuming unbounded amounts of memory by sending many unique keys, but a small number of very large keys can still consume an unreasonable amount of memory. Track the amount of memory consumed by the cache and limit it based on memory rather than number of entries. Thanks to Josselin Costanzi for reporting this issue. For golang/go#56350 For golang/go#57008 Fixes CVE-2022-41717 Change-Id: Ief3c141001524fd3776958ecc8556c724427f063 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662692 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/net/+/455735 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Jenny Rakoczy <[email protected]>
…y bytes, not entries The canonical header cache is a per-connection cache mapping header keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar"). We limit the number of entries in the cache to prevent an attacker from consuming unbounded amounts of memory by sending many unique keys, but a small number of very large keys can still consume an unreasonable amount of memory. Track the amount of memory consumed by the cache and limit it based on memory rather than number of entries. Thanks to Josselin Costanzi for reporting this issue. For golang/go#56350 For golang/go#57009 Fixes CVE-2022-41717 Change-Id: Ief3c141001524fd3776958ecc8556c724427f063 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662693 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/net/+/455736 Reviewed-by: Jenny Rakoczy <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Damien Neil <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]>
The fix for golang/go#56350 has been included in k8s/client-go v0.25.5 via the version bump of the required golang.org/x/net dep to v0.3.1-0.20221206200815-1e63c2f08a10. This PR bumps the version of k8s/client-go to the latest avaialble v0.25.6 as of 01/23/23.
The fix for golang/go#56350 has been [included in the v0.4.0 release](golang/net@1e63c2f). This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix.
The fix for golang/go#56350 has been [included in the v0.4.0 release](golang/net@1e63c2f). This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix.
The fix for golang/go#56350 has been [included in the v0.4.0 release](golang/net@1e63c2f). This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix.
The fix for golang/go#56350 has been [included in the v0.4.0 release](golang/net@1e63c2f). This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix. (cherry picked from commit d946c58) Signed-off-by: Todd Short <[email protected]>
This is a PRIVATE issue for CVE-2022-41717 tracked in http://b/253471637.
net/http: limit canonical header cache by bytes, not entries
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.
HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
This issue is also fixed in golang.org/x/net/http2 v0.4.0, for users manually configuring HTTP/2.
Thanks to Josselin Costanzi for reporting this issue.
The text was updated successfully, but these errors were encountered: