net/http: limit canonical header cache by bytes, not entries (CVE-2022-41717) #56350
Comments
|
@gopherbot please open backport issues |
This was referenced Nov 30, 2022
|
Backport issue(s) opened: #57008 (for 1.18), #57009 (for 1.19). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/455361 mentions this issue: |
|
Change https://go.dev/cl/455363 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Dec 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. For #56350 For #57008 Fixes CVE-2022-41717 Change-Id: I31ebd2b9ae190ef6f7646187103ea1c8a713ff2e Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663833 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/455361 Run-TryBot: Jenny Rakoczy <jenny@golang.org> Reviewed-by: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Dec 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. For #56350. For #57009. Fixes CVE-2022-41717. Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/455363 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Jenny Rakoczy <jenny@golang.org> Reviewed-by: Michael Pratt <mpratt@google.com>
|
Change https://go.dev/cl/455635 mentions this issue: |
|
@damz correct, we always release Go first for private track issues. |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Dec 6, 2022
The canonical header cache is a per-connection cache mapping header keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar"). We limit the number of entries in the cache to prevent an attacker from consuming unbounded amounts of memory by sending many unique keys, but a small number of very large keys can still consume an unreasonable amount of memory. Track the amount of memory consumed by the cache and limit it based on memory rather than number of entries. Thanks to Josselin Costanzi for reporting this issue. For golang/go#56350 Change-Id: I41db4c9823ed5bf371a9881accddff1268489b16 Reviewed-on: https://go-review.googlesource.com/c/net/+/455635 Reviewed-by: Jenny Rakoczy <jenny@golang.org> Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
|
I see golang/net@1e63c2f was merged; will there be a tagged release with it? |
|
@thaJeztah Tagging will happen automatically after the post-submit build completes. |
toothrot
changed the title
toothrot
changed the title
|
Change https://go.dev/cl/455717 mentions this issue: |
|
Change https://go.dev/cl/455735 mentions this issue: |
|
Change https://go.dev/cl/455736 mentions this issue: |
andrew-d
pushed a commit
to tailscale/go
that referenced
this issue
Dec 7, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. For golang#56350. For golang#57009. Fixes CVE-2022-41717. Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/455363 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Jenny Rakoczy <jenny@golang.org> Reviewed-by: Michael Pratt <mpratt@google.com>
This was referenced Dec 8, 2022
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Dec 9, 2022
…y bytes, not entries The canonical header cache is a per-connection cache mapping header keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar"). We limit the number of entries in the cache to prevent an attacker from consuming unbounded amounts of memory by sending many unique keys, but a small number of very large keys can still consume an unreasonable amount of memory. Track the amount of memory consumed by the cache and limit it based on memory rather than number of entries. Thanks to Josselin Costanzi for reporting this issue. For golang/go#56350 For golang/go#57008 Fixes CVE-2022-41717 Change-Id: Ief3c141001524fd3776958ecc8556c724427f063 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662692 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/455735 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Jenny Rakoczy <jenny@golang.org>
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Dec 10, 2022
…y bytes, not entries The canonical header cache is a per-connection cache mapping header keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar"). We limit the number of entries in the cache to prevent an attacker from consuming unbounded amounts of memory by sending many unique keys, but a small number of very large keys can still consume an unreasonable amount of memory. Track the amount of memory consumed by the cache and limit it based on memory rather than number of entries. Thanks to Josselin Costanzi for reporting this issue. For golang/go#56350 For golang/go#57009 Fixes CVE-2022-41717 Change-Id: Ief3c141001524fd3776958ecc8556c724427f063 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662693 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/455736 Reviewed-by: Jenny Rakoczy <jenny@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
3 tasks
anik120
added a commit
to anik120/rukpak
that referenced
this issue
Jan 23, 2023
The fix for golang/go#56350 has been included in k8s/client-go v0.25.5 via the version bump of the required golang.org/x/net dep to v0.3.1-0.20221206200815-1e63c2f08a10. This PR bumps the version of k8s/client-go to the latest avaialble v0.25.6 as of 01/23/23.
anik120
added a commit
to anik120/rukpak
that referenced
this issue
Jan 24, 2023
The fix for golang/go#56350 has been [included in the v0.4.0 release](golang/net@1e63c2f). This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix.
awgreene
pushed a commit
to operator-framework/rukpak
that referenced
this issue
Jan 24, 2023
The fix for golang/go#56350 has been [included in the v0.4.0 release](golang/net@1e63c2f). This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix.
awgreene
pushed a commit
to awgreene/operator-framework-rukpak
that referenced
this issue
Jan 24, 2023
The fix for golang/go#56350 has been [included in the v0.4.0 release](golang/net@1e63c2f). This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix.
tmshort
pushed a commit
to tmshort/operator-framework-rukpak
that referenced
this issue
Feb 28, 2023
The fix for golang/go#56350 has been [included in the v0.4.0 release](golang/net@1e63c2f). This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix. (cherry picked from commit d946c58) Signed-off-by: Todd Short <todd.short@me.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a PRIVATE issue for CVE-2022-41717 tracked in http://b/253471637.
net/http: limit canonical header cache by bytes, not entries
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.
HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
This issue is also fixed in golang.org/x/net/http2 v0.4.0, for users manually configuring HTTP/2.
Thanks to Josselin Costanzi for reporting this issue.
The text was updated successfully, but these errors were encountered: