[CVE-2023-45288] net/http, x/net/http2: close connections when receiving too many headers #124173
Comments
k8s-ci-robot
added
needs-sig
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/sig architecture cc @kubernetes/release-managers |
k8s-ci-robot
added
sig/architecture
|
more details in the announce email from golang folks - https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M/m/khALNYGdAAAJ |
|
perhaps relevant (still checking myself): golang/go#66668 |
|
/cc @kubernetes/release-team-release-signal |
|
Updated issue description with a TODO list so that we can keep track |
|
All PRs in description are merged. Can we close this? |
|
/close |
|
@dims: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Fixed in golang 1.22.2 released today along with other things.
https://github.com/golang/go/issues?q=milestone%3AGo1.22.2+label%3ACherryPickApproved
we also need to update x/net as well as we use that directly too:
golang/net@ba87210
xref: golang/go#65051
TODO of what we need to do in order to fully close this out:
golang.org/x/netto v0.23.0 on all supported branchesgo1.22.2orgo1.21.9: Dependency update - Golang 1.22.2/1.21.9 release#3529go1.22.2: [go] Bump images, dependencies and versions to go 1.22.2 and distroless iptables #124196go1.21.9The text was updated successfully, but these errors were encountered: