A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
This PR contains the following updates:
v0.0.0-20220607020251-c690dde0001d->v0.7.0GitHub Vulnerability Alerts
CVE-2022-41723
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
CVE-2022-27664
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-41721
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Release Notes
golang/net
### [`v0.7.0`](https://togithub.com/golang/net/compare/v0.6.0...v0.7.0) [Compare Source](https://togithub.com/golang/net/compare/v0.6.0...v0.7.0) ### [`v0.6.0`](https://togithub.com/golang/net/compare/v0.5.0...v0.6.0) [Compare Source](https://togithub.com/golang/net/compare/v0.5.0...v0.6.0) ### [`v0.5.0`](https://togithub.com/golang/net/compare/v0.4.0...v0.5.0) [Compare Source](https://togithub.com/golang/net/compare/v0.4.0...v0.5.0) ### [`v0.4.0`](https://togithub.com/golang/net/compare/v0.3.0...v0.4.0) [Compare Source](https://togithub.com/golang/net/compare/v0.3.0...v0.4.0) ### [`v0.3.0`](https://togithub.com/golang/net/compare/v0.2.0...v0.3.0) [Compare Source](https://togithub.com/golang/net/compare/v0.2.0...v0.3.0) ### [`v0.2.0`](https://togithub.com/golang/net/compare/v0.1.0...v0.2.0) [Compare Source](https://togithub.com/golang/net/compare/v0.1.0...v0.2.0)Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Never, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.