-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.10] Update to go1.20.10, golang/org/x/net v0.17.0 #46692
[20.10] Update to go1.20.10, golang/org/x/net v0.17.0 #46692
Conversation
Any of the related changes for go1.19 -> go1.20 needed in this branch? #44620 |
The rest of the prerequisites are for appeasing golangci-lint. I'm half-tempted to just remove the lint step from the Jenkinsfile as Mirantis Container Runtime 20.10 is EOL on December 10, less than eight weeks away.
I will also do that in a separate PR. |
go1.20.10 (released 2023-10-10) includes a security fix to the net/http package. See the Go 1.20.10 milestone on our issue tracker for details. - https://github.com/golang/go/issues?q=milestone%3AGo1.20.10+label%3ACherryPickApproved - full diff: golang/go@go1.19.12...go1.20.10 From the mailing list announcement: [security] Go 1.21.3 and Go 1.20.10 are released Hello gophers, We have just released Go versions 1.21.3 and 1.20.10, minor point releases. These minor releases include 1 security fixes following the security policy: - net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487. View the release notes for more information: https://go.dev/doc/devel/release#go1.21.3 Signed-off-by: Cory Snider <csnider@mirantis.com>
full diff: https://github.com/golang/net/compare/ab34263943818b32f575efc978 This fixes the same CVE as go1.21.3 and go1.20.10; - net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487. Dependency full diffs: a3d24e80b04bd7...v0.17.0 https://github.com/golang/sys/compare/33da011f77ade50ff5b6a6fb4a 9a1e6d6b285809...v0.13.0 golang/text@v0.3.3...v0.13.0 https://github.com/golang/crypto/compare/c1f2f97bffc9c53fc40a1a28a5 b460094c0050d9...v0.14.0 Signed-off-by: Cory Snider <csnider@mirantis.com>
cb00789
to
2c22bd5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM if ci is happy
Test-failures are those that were called out elsewhere to be expected on RS5 currently;
|
Update to go1.20.10
go1.20.10 (released 2023-10-10) includes a security fix to the net/http
package. See the Go 1.20.10 milestone on our issue tracker for details.
From the mailing list announcement:
[security] Go 1.21.3 and Go 1.20.10 are released
Hello gophers,
We have just released Go versions 1.21.3 and 1.20.10, minor point releases.
These minor releases include 1 security fixes following the security policy:
net/http: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.
HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.
This is GHSA-4374-p667-p6c8 and Go issue https://go.dev/issue/63417.
This is also tracked by GHSA-qppj-fm5r-hxr3.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.21.3
vendor: golang.org/x/net v0.17.0
full diff: https://github.com/golang/net/compare/ab34263943818b32f575efc978
This fixes the same CVE as go1.21.3 and go1.20.10;
net/http: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.
HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.
This is GHSA-4374-p667-p6c8 and Go issue https://go.dev/issue/63417.
This is also tracked by GHSA-qppj-fm5r-hxr3.
Dependency full diffs:
a3d24e80b04bd7...v0.17.0
https://github.com/golang/sys/compare/33da011f77ade50ff5b6a6fb4a
9a1e6d6b285809...v0.13.0
golang/text@v0.3.3...v0.13.0
https://github.com/golang/crypto/compare/c1f2f97bffc9c53fc40a1a28a5
b460094c0050d9...v0.14.0
- Description for the changelog
Update Go to 1.20.10 and golang.org/x/net to v0.17.0
- A picture of a cute animal (not mandatory but encouraged)