Updated golang.org/x/net to v0.8.0 and related modules to fix vulnerabilities.
Impact:
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Impact:
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Impact:
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Updated golang.org/x/net to v0.8.0 and related modules to fix vulnerabilities.
Impact: A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
CVE ID: CVE-2022-41721 GHSA ID: GHSA-fxg5-wq6x-vr4w
Impact: In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE ID: CVE-2022-27664 GHSA ID: GHSA-69cg-p879-7622
Impact: A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
CVE ID: CVE-2022-41723 GHSA ID: GHSA-vvpx-j8f3-3w6h
What has been done? Why? What problem is being solved?
I didn't forget about
Closes #???