Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: verify HTTP2 implementation against recent CVEs #16825

Closed
jabley opened this issue Aug 21, 2016 · 2 comments

Comments

Projects
None yet
3 participants
@jabley
Copy link

commented Aug 21, 2016

http://www.securityweek.com/high-profile-vulnerabilities-affect-http2-report discussed various issues reported at Black Hat USA 2016.

This is a placeholder to confirm that Go isn't vulnerable to:

  1. Slow Read (CVE-2016-1546)
  2. HPACK Bomb (CVE-2016-1544, CVE-2016-2525)
  3. Stream Reuse (CVE-2016-0150)
  4. Dependency Cycle Attack (CVE-2015-8659)
@bystones

This comment has been minimized.

Copy link

commented Aug 21, 2016

This looks like a duplicate of #16630?

@josharian josharian changed the title Verify HTTP2 implementation against recent CVEs net/http: verify HTTP2 implementation against recent CVEs Aug 21, 2016

@jabley

This comment has been minimized.

Copy link
Author

commented Aug 21, 2016

Yeah, sorry.

@jabley jabley closed this Aug 21, 2016

@golang golang locked and limited conversation to collaborators Aug 21, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.