-
Notifications
You must be signed in to change notification settings - Fork 17.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: limit growth of header canonicalization cache #50058
Comments
Change https://golang.org/cl/370574 mentions this issue: |
Change https://golang.org/cl/370575 mentions this issue: |
https://golang.org/cl/369794 is the fix on x/net. |
Reopening for bundling into Go 1.18. |
Change https://golang.org/cl/370579 mentions this issue: |
@gopherbot please open backport issues, this is CVE-2021-44716. |
Backport issue(s) opened: #50064 (for 1.16), #50065 (for 1.17). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
Pull in security fix 84cba54 http2: cap the size of the server's canonical header cache Updates golang#50058 Fixes CVE-2021-44716 Change-Id: Ia89e3d22a173c6cb83f03608d5186fcd08f2956c Reviewed-on: https://go-review.googlesource.com/c/go/+/370574 Trust: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Alex Rakoczy <alex@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
Pull in security fix a5309b3 http2: cap the size of the server's canonical header cache Updates #50058 Fixes CVE-2021-44716 Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9 Reviewed-on: https://go-review.googlesource.com/c/go/+/370575 Trust: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Alex Rakoczy <alex@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
A Go net/http bug documented here golang/go#50058 could potentially affect users who enable Rook's webhook. Signed-off-by: Blaine Gardner <blaine.gardner@redhat.com>
A Go net/http bug documented here golang/go#50058 could potentially affect users who enable Rook's webhook. Signed-off-by: Blaine Gardner <blaine.gardner@redhat.com>
…anonical header cache The HTTP/2 server keeps a per-connection cache mapping header keys to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the maximum size of this cache to prevent a peer sending many unique header keys from causing unbounded memory growth. Cap chosen arbitrarily at 32 entries. Since this cache does not include common headers (e.g., "content-type"), 32 seems like more than enough for almost all normal uses. Updates golang/go#50058 Fixes CVE-2021-44716 Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827 Reviewed-by: Roland Shoemaker <bracewell@google.com>
An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.
For users who cannot immediately update to the new release, setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package.
This issue is also fixed in golang.org/x/net/http2 v0.0.0-20211209124913-491a49abca63, for users manually configuring HTTP/2.
Thank you to murakmii for reporting this issue.
This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.
The text was updated successfully, but these errors were encountered: