Skip to content

[23.0 backport] vendor: golang.org/x/net v0.7.0, golang.org/x/sys v0.5.0, golang.org/x/text v0.7.0#45056

Merged
neersighted merged 3 commits intomoby:23.0from
thaJeztah:23.0_backport_bump_golang_net
Feb 22, 2023
Merged

[23.0 backport] vendor: golang.org/x/net v0.7.0, golang.org/x/sys v0.5.0, golang.org/x/text v0.7.0#45056
neersighted merged 3 commits intomoby:23.0from
thaJeztah:23.0_backport_bump_golang_net

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Feb 22, 2023

vendor: golang.org/x/sys v0.5.0

full diff: golang/sys@v0.4.0...v0.5.0

vendor: golang.org/x/text v0.7.0

full diff: golang/text@v0.6.0...v0.7.0

vendor: golang.org/x/net v0.7.0

This addresses the same CVE as is patched in go1.19.6. From that announcement:

net/http: avoid quadratic complexity in HPACK decoding

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption
in the HPACK decoder, sufficient to cause a denial of service from a small
number of small requests.

This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
configuring HTTP/2.

This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.

full diff: golang/net@v0.5.0...v0.7.0

@thaJeztah
vendor: golang.org/x/sys v0.5.0
0727310 
full diff: golang/sys@v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a53b44a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
vendor: golang.org/x/text v0.7.0
d150106 
full diff: golang/text@v0.6.0...v0.7.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c7de765)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
vendor: golang.org/x/net v0.7.0
87a1517 
This addresses the same CVE as is patched in go1.19.6. From that announcement:

> net/http: avoid quadratic complexity in HPACK decoding
>
> A maliciously crafted HTTP/2 stream could cause excessive CPU consumption
> in the HPACK decoder, sufficient to cause a denial of service from a small
> number of small requests.
>
> This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
> configuring HTTP/2.
>
> This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.

full diff: golang/net@v0.5.0...v0.7.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a36286c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 23.0.2 milestone Feb 22, 2023
@thaJeztah thaJeztah mentioned this pull request Feb 22, 2023
Merged
@neersighted neersighted merged commit ab7dd59 into moby:23.0 Feb 22, 2023
@thaJeztah thaJeztah deleted the 23.0_backport_bump_golang_net branch February 22, 2023 16:01
@yosifkit yosifkit mentioned this pull request Apr 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@neersighted neersighted neersighted approved these changes

@vvoland vvoland vvoland approved these changes

Assignees

No one assigned

Labels

status/2-code-review

Projects

None yet

Milestone

23.0.2

Development

Successfully merging this pull request may close these issues.

3 participants

@thaJeztah @neersighted @vvoland