Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: upgrade easy-add built with Go 1.20.10 #2462

Merged
merged 5 commits into from
Nov 3, 2023
Merged

build: upgrade easy-add built with Go 1.20.10 #2462

merged 5 commits into from
Nov 3, 2023

Conversation

itzg
Copy link
Owner

@itzg itzg commented Nov 3, 2023
edited
Loading

For itzg/easy-add#21

🔍 Vulnerabilities of itzg/minecraft-server:latest

📦 Image Reference itzg/minecraft-server:latest
digestsha256:7caca25f62b83a2af6ee6afe1ff69033b63e44bbdd0ad56d51c2716b54de325c
vulnerabilitiescritical: 0 high: 5 medium: 0 low: 0
platformlinux/arm64
size360 MB
packages565
critical: 0 high: 2 medium: 0 low: 0 stdlib 1.20.5 (golang)

pkg:golang/[email protected]

high : CVE--2023--44487

Affected range<1.20.10
Fixed version1.20.10
Description

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

high : CVE--2023--39325

Affected range<1.20.10
Fixed version1.20.10
Description

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

critical: 0 high: 2 medium: 0 low: 0 stdlib 1.20.8 (golang)

pkg:golang/[email protected]

high : CVE--2023--44487

Affected range<1.20.10
Fixed version1.20.10
Description

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

high : CVE--2023--39325

Affected range<1.20.10
Fixed version1.20.10
Description

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/net 0.11.0 (golang)

pkg:golang/golang.org/x/[email protected]

high 7.5: CVE--2023--39325 Uncontrolled Resource Consumption

Affected range<0.17.0
Fixed version0.17.0
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

@itzg itzg added the dependencies Pull requests that update a dependency file label Nov 3, 2023
@itzg itzg merged commit 951a557 into master Nov 3, 2023
4 checks passed
@itzg itzg deleted the fix/easy-add-go branch November 3, 2023 17:16
@itzg
Copy link
Owner Author

itzg commented Nov 3, 2023

Post build:

🔍 Vulnerabilities of itzg/minecraft-server:latest

📦 Image Reference itzg/minecraft-server:latest
digestsha256:a74bc06637ac1cf407bdb415a5ee19ce2b9b5417c56dd6fcd47696efc991b755
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
platformlinux/arm64
size361 MB
packages564

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@itzg