Skip to content

security: fix CVE-2023-39325 [1.20 backport] #63426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Oct 6, 2023 · 4 comments · Fixed by tektoncd/plumbing#1635
Closed

security: fix CVE-2023-39325 [1.20 backport] #63426

gopherbot opened this issue Oct 6, 2023 · 4 comments · Fixed by tektoncd/plumbing#1635
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.20.10

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #63417 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Oct 6, 2023
@gopherbot gopherbot mentioned this issue Oct 6, 2023
Closed
@gopherbot gopherbot added this to the Go1.20.10 milestone Oct 6, 2023
@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Oct 6, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/534255 mentions this issue: [release-branch.go1.20] net/http: regenerate h2_bundle.go

@gopherbot
Copy link
Contributor Author

Closed by merging e175f27 to release-branch.go1.20.

gopherbot pushed a commit that referenced this issue Oct 10, 2023
@neild @gopherbot
[release-branch.go1.20] net/http: regenerate h2_bundle.go
e175f27 
Pull in a security fix from x/net/http2:
http2: limit maximum handler goroutines to MaxConcurrentStreamso

For #63417
Fixes #63426
Fixes CVE-2023-39325

Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
Reviewed-by: Tatiana Bradley <[email protected]>
TryBot-Result: Security TryBots <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
Reviewed-by: Ian Cottrell <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
TryBot-Bypass: Dmitri Shuralyov <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
@stefanb stefanb mentioned this issue Oct 10, 2023
Merged
6 tasks
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/534236 mentions this issue: [internal-branch.go1.20-vendor] http2: limit maximum handler goroutines to MaxConcurrentStreams

gopherbot pushed a commit to golang/net that referenced this issue Oct 10, 2023
@neild @gopherbot
[internal-branch.go1.20-vendor] http2: limit maximum handler goroutin…
16ed2c8 
…es to MaxConcurrentStreams

When the peer opens a new stream while we have MaxConcurrentStreams
handler goroutines running, defer starting a handler until one
of the existing handlers exits.

For golang/go#63417.
For golang/go#63426.
For CVE-2023-39325.

Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047553
Reviewed-by: Ian Cottrell <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
TryBot-Result: Security TryBots <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/net/+/534236
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/534297 mentions this issue: [release-branch.go1.20] all: tidy dependency versioning after release

gopherbot pushed a commit that referenced this issue Oct 10, 2023
@dmitshur @gopherbot
[release-branch.go1.20] all: tidy dependency versioning after release
c8fdffb 
Done with:

go get golang.org/x/[email protected]
go mod tidy
go mod vendor
go generate net/http  # zero diff since CL 534255 already did this

For #63417.
For #63426.
For CVE-2023-39325.

Change-Id: Ib258e0d8165760a1082e02c2f4c5ce7d2a3c3c90
Reviewed-on: https://go-review.googlesource.com/c/go/+/534297
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
TryBot-Bypass: Dmitri Shuralyov <[email protected]>
khrm added a commit to khrm/plumbing that referenced this issue Oct 12, 2023
@khrm
Update Go to 1.20.10
3265b14 
Needed for CVE fix: golang/go#63426

Triggers EventListener, Hub, and Results are affected.
@khrm khrm mentioned this issue Oct 12, 2023
Merged
2 tasks
@roivaz roivaz mentioned this issue Oct 13, 2023
Merged
@frzifus frzifus mentioned this issue Oct 13, 2023
Merged
rhmdnd added a commit to rhmdnd/compliance-operator that referenced this issue Oct 17, 2023
@rhmdnd
Use golang 1.20
63833fe 
Let's use an image that contains a patched version of net/http.

golang/go#63426
@rhmdnd rhmdnd mentioned this issue Oct 17, 2023
Merged
rhmdnd added a commit to rhmdnd/file-integrity-operator that referenced this issue Oct 17, 2023
@rhmdnd
Use golang 1.20
15ea507 
Let's us a version of golang that contains a patched version of
net/http.

golang/go#63426
@rhmdnd rhmdnd mentioned this issue Oct 17, 2023
Merged
tekton-robot pushed a commit to tektoncd/plumbing that referenced this issue Oct 19, 2023
@khrm @tekton-robot
Update Go to 1.20.10
975998c 
Needed for CVE fix: golang/go#63426

Triggers EventListener, Hub, and Results are affected.
@AlexanderYastrebov AlexanderYastrebov mentioned this issue Nov 27, 2023
Closed
rcrozean pushed a commit to rcrozean/go that referenced this issue Dec 7, 2023
@neild @rcrozean
net/http: regenerate h2_bundle.go
07c6997 
# AWS EKS

Backported To: go-1.19.13-eks
Backported On: Thu, 12 Oct 2023
Backported By: [email protected]
Backported From: release-branch.go1.20
Source Commit: golang@e175f27

# Original Information

Pull in a security fix from x/net/http2:
http2: limit maximum handler goroutines to MaxConcurrentStreamso

For golang#63417
Fixes golang#63426
Fixes CVE-2023-39325

Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
Reviewed-by: Tatiana Bradley <[email protected]>
TryBot-Result: Security TryBots <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
Reviewed-by: Ian Cottrell <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
TryBot-Bypass: Dmitri Shuralyov <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
@golang golang locked and limited conversation to collaborators Oct 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.20.10
Development

Successfully merging a pull request may close this issue.

Update Go to 1.20.10 khrm/plumbing
2 participants
@dmitshur @gopherbot