eshepelyuk
commented
1 month ago Duplicate of #253
Closed apy-liu closed 1 month ago
eshepelyuk
commented
1 month ago Duplicate of #253
apy-liu
commented
1 month ago Hi @eshepelyuk thanks for reviewing this. Is this a duplicate of the other issue because the fix is the same?
I see they're listed as two different CVE's:
This one:
GO-2024-2887
Affects: net/netip
Published: Jun 04, 2024
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected
for IPv4-mapped IPv6 addresses, returning false for addresses that would return true in their traditional IPv4 forms.CVE raised in #253:
CVE-2023-45288
Fix: Upgrade golang.org/x/net/http2 to version 0.23.0 or higher.
Overview:
<golang.org/x/net/http2> is a work-in-progress HTTP/2 implementation for Go.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling
when reading header data from CONTINUATION frames. As part of the HPACK flow, all incoming HEADERS and CONTINUATION frames are read even if their payloads exceed MaxHeaderBytes and will be discarded.
An attacker can send excessive data over a connection to render it unresponsive.
The latest 8.5.7 image version does not seem to contain the fix needed to resolve this high-risk vulnerability, our security tool still flagged this: https://pkg.go.dev/vuln/GO-2024-2887#
Could someone with a better understanding of this image help fix this vulnerability?
Thanks