Skip to content

Commit

Permalink
chore(deps): update module golang.org/x/net to v0.17.0 [security] (re…
Browse files Browse the repository at this point in the history
…lease-2.8.x) (#10891)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/net | indirect | minor | `v0.7.0` -> `v0.17.0` |

---

### Improper rendering of text nodes in golang.org/x/net/html
[CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978) /
[GHSA-2wrh-6pvc-2jm9](https://togithub.com/advisories/GHSA-2wrh-6pvc-2jm9)

<details>
<summary>More information</summary>

#### Details
Text nodes not in the HTML namespace are incorrectly literally rendered,
causing text which should be escaped to not be. This could lead to an
XSS attack.

#### Severity
- CVSS Score: 6.1 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978)
- [https://go.dev/cl/514896](https://go.dev/cl/514896)
- [https://go.dev/issue/61615](https://go.dev/issue/61615)
-
[https://pkg.go.dev/vuln/GO-2023-1988](https://pkg.go.dev/vuln/GO-2023-1988)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-2wrh-6pvc-2jm9) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Improper rendering of text nodes in golang.org/x/net/html
[CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978) /
[GHSA-2wrh-6pvc-2jm9](https://togithub.com/advisories/GHSA-2wrh-6pvc-2jm9)
/ [GO-2023-1988](https://pkg.go.dev/vuln/GO-2023-1988)

<details>
<summary>More information</summary>

#### Details
Text nodes not in the HTML namespace are incorrectly literally rendered,
causing text which should be escaped to not be. This could lead to an
XSS attack.

#### Severity
Unknown

#### References
- [https://go.dev/issue/61615](https://go.dev/issue/61615)
- [https://go.dev/cl/514896](https://go.dev/cl/514896)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2023-1988) and the [Go
Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY
4.0](https://togithub.com/golang/vulndb#license)).
</details>

---

### swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack
[CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) /
[GHSA-qppj-fm5r-hxr3](https://togithub.com/advisories/GHSA-qppj-fm5r-hxr3)

<details>
<summary>More information</summary>

#### Details
swift-nio-http2 is vulnerable to a denial-of-service vulnerability in
which a malicious client can create and then reset a large number of
HTTP/2 streams in a short period of time. This causes swift-nio-http2 to
commit to a large amount of expensive work which it then throws away,
including creating entirely new `Channel`s to serve the traffic. This
can easily overwhelm an `EventLoop` and prevent it from making forward
progress.

swift-nio-http2 1.28 contains a remediation for this issue that applies
reset counter using a sliding window. This constrains the number of
stream resets that may occur in a given window of time. Clients
violating this limit will have their connections torn down. This allows
clients to continue to cancel streams for legitimate reasons, while
constraining malicious actors.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`

#### References
-
[https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3](https://togithub.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3)
-
[https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf](https://togithub.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)
-
[https://nvd.nist.gov/vuln/detail/CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
-
[https://github.com/Azure/AKS/issues/3947](https://togithub.com/Azure/AKS/issues/3947)
-
[https://github.com/akka/akka-http/issues/4323](https://togithub.com/akka/akka-http/issues/4323)
-
[https://github.com/alibaba/tengine/issues/1872](https://togithub.com/alibaba/tengine/issues/1872)
-
[https://github.com/apache/apisix/issues/10320](https://togithub.com/apache/apisix/issues/10320)
-
[https://github.com/caddyserver/caddy/issues/5877](https://togithub.com/caddyserver/caddy/issues/5877)
-
[https://github.com/dotnet/announcements/issues/277](https://togithub.com/dotnet/announcements/issues/277)
-
[https://github.com/eclipse/jetty.project/issues/10679](https://togithub.com/eclipse/jetty.project/issues/10679)
-
[https://github.com/etcd-io/etcd/issues/16740](https://togithub.com/etcd-io/etcd/issues/16740)
-
[https://github.com/golang/go/issues/63417](https://togithub.com/golang/go/issues/63417)
-
[https://github.com/haproxy/haproxy/issues/2312](https://togithub.com/haproxy/haproxy/issues/2312)
-
[https://github.com/hyperium/hyper/issues/3337](https://togithub.com/hyperium/hyper/issues/3337)
-
[https://github.com/junkurihara/rust-rpxy/issues/97](https://togithub.com/junkurihara/rust-rpxy/issues/97)
-
[https://github.com/kazu-yamamoto/http2/issues/93](https://togithub.com/kazu-yamamoto/http2/issues/93)
-
[https://github.com/ninenines/cowboy/issues/1615](https://togithub.com/ninenines/cowboy/issues/1615)
-
[https://github.com/openresty/openresty/issues/930](https://togithub.com/openresty/openresty/issues/930)
-
[https://github.com/opensearch-project/data-prepper/issues/3474](https://togithub.com/opensearch-project/data-prepper/issues/3474)
-
[https://github.com/tempesta-tech/tempesta/issues/1986](https://togithub.com/tempesta-tech/tempesta/issues/1986)
-
[https://github.com/varnishcache/varnish-cache/issues/3996](https://togithub.com/varnishcache/varnish-cache/issues/3996)
-
[https://github.com/apache/httpd-site/pull/10](https://togithub.com/apache/httpd-site/pull/10)
-
[https://github.com/apache/trafficserver/pull/10564](https://togithub.com/apache/trafficserver/pull/10564)
-
[https://github.com/envoyproxy/envoy/pull/30055](https://togithub.com/envoyproxy/envoy/pull/30055)
-
[https://github.com/facebook/proxygen/pull/466](https://togithub.com/facebook/proxygen/pull/466)
-
[https://github.com/grpc/grpc-go/pull/6703](https://togithub.com/grpc/grpc-go/pull/6703)
-
[https://github.com/h2o/h2o/pull/3291](https://togithub.com/h2o/h2o/pull/3291)
-
[https://github.com/kubernetes/kubernetes/pull/121120](https://togithub.com/kubernetes/kubernetes/pull/121120)
-
[https://github.com/line/armeria/pull/5232](https://togithub.com/line/armeria/pull/5232)
-
[https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632](https://togithub.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)
-
[https://github.com/microsoft/CBL-Mariner/pull/6381](https://togithub.com/microsoft/CBL-Mariner/pull/6381)
-
[https://github.com/nghttp2/nghttp2/pull/1961](https://togithub.com/nghttp2/nghttp2/pull/1961)
-
[https://github.com/nodejs/node/pull/50121](https://togithub.com/nodejs/node/pull/50121)
-
[https://github.com/projectcontour/contour/pull/5826](https://togithub.com/projectcontour/contour/pull/5826)
-
[https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1](https://togithub.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)
-
[https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61](https://togithub.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)
-
[https://access.redhat.com/security/cve/cve-2023-44487](https://access.redhat.com/security/cve/cve-2023-44487)
-
[https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/](https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/)
-
[https://aws.amazon.com/security/security-bulletins/AWS-2023-011/](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)
-
[https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)
-
[https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)
-
[https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)
-
[https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)
-
[https://blog.vespa.ai/cve-2023-44487/](https://blog.vespa.ai/cve-2023-44487/)
-
[https://bugzilla.proxmox.com/show_bug.cgi?id=4988](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)
-
[https://bugzilla.redhat.com/show_bug.cgi?id=2242803](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)
-
[https://bugzilla.suse.com/show_bug.cgi?id=1216123](https://bugzilla.suse.com/show_bug.cgi?id=1216123)
-
[https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)
-
[https://chaos.social/@&#8203;icing/111210915918780532](https://chaos.social/@&#8203;icing/111210915918780532)
-
[https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)
-
[https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)
-
[https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)
-
[https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)
-
[https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)
-
[https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)
-
[https://github.com/Kong/kong/discussions/11741](https://togithub.com/Kong/kong/discussions/11741)
-
[https://github.com/advisories/GHSA-qppj-fm5r-hxr3](https://togithub.com/advisories/GHSA-qppj-fm5r-hxr3)
-
[https://github.com/advisories/GHSA-vx74-f528-fxqg](https://togithub.com/advisories/GHSA-vx74-f528-fxqg)
-
[https://github.com/advisories/GHSA-xpw8-rcwv-8f8p](https://togithub.com/advisories/GHSA-xpw8-rcwv-8f8p)
-
[https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113](https://togithub.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)
-
[https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2](https://togithub.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)
-
[https://github.com/apple/swift-nio-http2](https://togithub.com/apple/swift-nio-http2)
-
[https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487](https://togithub.com/arkrwn/PoC/tree/main/CVE-2023-44487)
-
[https://github.com/bcdannyboy/CVE-2023-44487](https://togithub.com/bcdannyboy/CVE-2023-44487)
-
[https://github.com/caddyserver/caddy/releases/tag/v2.7.5](https://togithub.com/caddyserver/caddy/releases/tag/v2.7.5)
-
[https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73](https://togithub.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)
-
[https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244](https://togithub.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)
-
[https://github.com/micrictor/http2-rst-stream](https://togithub.com/micrictor/http2-rst-stream)
-
[https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0](https://togithub.com/nghttp2/nghttp2/releases/tag/v1.57.0)
-
[https://github.com/oqtane/oqtane.framework/discussions/3367](https://togithub.com/oqtane/oqtane.framework/discussions/3367)
- [https://go.dev/cl/534215](https://go.dev/cl/534215)
- [https://go.dev/cl/534235](https://go.dev/cl/534235)
- [https://go.dev/issue/63417](https://go.dev/issue/63417)
-
[https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)
-
[https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ)
-
[https://istio.io/latest/news/security/istio-security-2023-004/](https://istio.io/latest/news/security/istio-security-2023-004/)
-
[https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/](https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/)
-
[https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)
-
[https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html](https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html)
-
[https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html](https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html)
-
[https://lists.fedoraproject.org/archives/list/[email protected]/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/](https://lists.fedoraproject.org/archives/list/[email protected]/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/)
-
[https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html](https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html)
-
[https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)
-
[https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)
-
[https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)
-
[https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)
-
[https://my.f5.com/manage/s/article/K000137106](https://my.f5.com/manage/s/article/K000137106)
-
[https://netty.io/news/2023/10/10/4-1-100-Final.html](https://netty.io/news/2023/10/10/4-1-100-Final.html)
-
[https://news.ycombinator.com/item?id=37830987](https://news.ycombinator.com/item?id=37830987)
-
[https://news.ycombinator.com/item?id=37830998](https://news.ycombinator.com/item?id=37830998)
-
[https://news.ycombinator.com/item?id=37831062](https://news.ycombinator.com/item?id=37831062)
-
[https://news.ycombinator.com/item?id=37837043](https://news.ycombinator.com/item?id=37837043)
-
[https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)
-
[https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)
-
[https://security.netapp.com/advisory/ntap-20231016-0001/](https://security.netapp.com/advisory/ntap-20231016-0001/)
-
[https://security.paloaltonetworks.com/CVE-2023-44487](https://security.paloaltonetworks.com/CVE-2023-44487)
-
[https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)
-
[https://ubuntu.com/security/CVE-2023-44487](https://ubuntu.com/security/CVE-2023-44487)
-
[https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)
-
[https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)
-
[https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)
-
[https://www.debian.org/security/2023/dsa-5521](https://www.debian.org/security/2023/dsa-5521)
-
[https://www.debian.org/security/2023/dsa-5522](https://www.debian.org/security/2023/dsa-5522)
-
[https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)
-
[https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/](https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/)
-
[https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)
-
[https://www.openwall.com/lists/oss-security/2023/10/10/6](https://www.openwall.com/lists/oss-security/2023/10/10/6)
-
[https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)
-
[https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)
-
[http://www.openwall.com/lists/oss-security/2023/10/13/4](http://www.openwall.com/lists/oss-security/2023/10/13/4)
-
[http://www.openwall.com/lists/oss-security/2023/10/13/9](http://www.openwall.com/lists/oss-security/2023/10/13/9)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-qppj-fm5r-hxr3) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HTTP/2 rapid reset can cause excessive work in net/http
[CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) /
[GHSA-4374-p667-p6c8](https://togithub.com/advisories/GHSA-4374-p667-p6c8)

<details>
<summary>More information</summary>

#### Details
A malicious HTTP/2 client which rapidly creates requests and immediately
resets them can cause excessive server resource consumption. While the
total number of requests is bounded by the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.

With the fix applied, HTTP/2 servers now bound the number of
simultaneously executing handler goroutines to the stream concurrency
limit (MaxConcurrentStreams). New requests arriving when at the limit
(which can only happen after the client has reset an existing, in-flight
request) will be queued until a handler exits. If the request queue
grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually
configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per
HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.

#### Severity
Moderate

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
-
[https://github.com/golang/go/issues/63417](https://togithub.com/golang/go/issues/63417)
- [https://go.dev/cl/534215](https://go.dev/cl/534215)
- [https://go.dev/cl/534235](https://go.dev/cl/534235)
- [https://go.dev/issue/63417](https://go.dev/issue/63417)
-
[https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ)
-
[https://pkg.go.dev/vuln/GO-2023-2102](https://pkg.go.dev/vuln/GO-2023-2102)
- [golang.org/x/net](golang.org/x/net)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-4374-p667-p6c8) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### HTTP/2 rapid reset can cause excessive work in net/http
[CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) /
[CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) /
[GHSA-4374-p667-p6c8](https://togithub.com/advisories/GHSA-4374-p667-p6c8)
/ [GO-2023-2102](https://pkg.go.dev/vuln/GO-2023-2102)

<details>
<summary>More information</summary>

#### Details
A malicious HTTP/2 client which rapidly creates requests and immediately
resets them can cause excessive server resource consumption. While the
total number of requests is bounded by the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.

With the fix applied, HTTP/2 servers now bound the number of
simultaneously executing handler goroutines to the stream concurrency
limit (MaxConcurrentStreams). New requests arriving when at the limit
(which can only happen after the client has reset an existing, in-flight
request) will be queued until a handler exits. If the request queue
grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually
configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per
HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.

#### Severity
Unknown

#### References
- [https://go.dev/issue/63417](https://go.dev/issue/63417)
- [https://go.dev/cl/534215](https://go.dev/cl/534215)
- [https://go.dev/cl/534235](https://go.dev/cl/534235)
-
[https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2023-2102) and the [Go
Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY
4.0](https://togithub.com/golang/vulndb#license)).
</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/grafana/loki).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xOS4yIiwidGFyZ2V0QnJhbmNoIjoicmVsZWFzZS0yLjgueCJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
renovate[bot] authored Oct 17, 2023
1 parent c3486d3 commit 8879a2d
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 7 deletions.
12 changes: 6 additions & 6 deletions tools/lambda-promtail/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -98,16 +98,16 @@ require (
go.uber.org/goleak v1.2.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
go.uber.org/zap v1.21.0 // indirect
golang.org/x/crypto v0.5.0 // indirect
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/exp v0.0.0-20221212164502-fae10dda9338 // indirect
golang.org/x/mod v0.7.0 // indirect
golang.org/x/net v0.7.0 // indirect
golang.org/x/mod v0.8.0 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/oauth2 v0.4.0 // indirect
golang.org/x/sync v0.1.0 // indirect
golang.org/x/sys v0.5.0 // indirect
golang.org/x/text v0.7.0 // indirect
golang.org/x/sys v0.13.0 // indirect
golang.org/x/text v0.13.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.4.0 // indirect
golang.org/x/tools v0.6.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
google.golang.org/grpc v1.52.3 // indirect
Expand Down
14 changes: 13 additions & 1 deletion tools/lambda-promtail/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -581,6 +581,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
golang.org/x/crypto v0.0.0-20221012134737-56aed061732a/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
Expand Down Expand Up @@ -625,6 +627,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
Expand Down Expand Up @@ -679,6 +683,8 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug
golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
Expand Down Expand Up @@ -796,6 +802,8 @@ golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
Expand All @@ -809,6 +817,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
Expand Down Expand Up @@ -876,6 +886,8 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4=
golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
Expand Down Expand Up @@ -1100,4 +1112,4 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

0 comments on commit 8879a2d

Please sign in to comment.