- https://github.com/golang/net/compare/v0.18.0...v0.22.0 - websocket: add support for dialing with context - http2: remove suspicious uint32->v conversion in frame code - http2: send an error of FLOW_CONTROL_ERROR when exceed the maximum octets - https://github.com/golang/crypto/compare/v0.17.0...v0.21.0 - internal/poly1305: drop Go 1.12 compatibility - internal/poly1305: improve sum_ppc64le.s - ocsp: don't use iota for externally defined constants
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit e1ca74361bc975ba85d998c040369c5839329d3b) Signed-off-by: Austin Vazquez <macedonv@amazon.com>
full diff: https://github.com/golang/net/compare/v0.22.0...v0.23.0
Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2 and go1.21.9;
> http2: close connections when receiving too many headers > > Maintaining HPACK state requires that we parse and process > all HEADERS and CONTINUATION frames on a connection. > When a request's headers exceed MaxHeaderBytes, we don't > allocate memory to store the excess headers but we do > parse them. This permits an attacker to cause an HTTP/2 > endpoint to read arbitrary amounts of data, all associated > with a request which is going to be rejected. > > Set a limit on the amount of excess header frames we > will process before closing a connection. > > Thanks to Bartek Nowotarski for reporting this issue.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit d66589496e5ab42d31f3fddaf8075fb37f1b77c6) Signed-off-by: Austin Vazquez <macedonv@amazon.com>