* [Buildroot] [PATCH] package/go: security bump to version 1.21.3
@ 2023-10-11 11:47 Peter Korsgaard
2023-10-11 20:02 ` Christian Stewart via buildroot
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Peter Korsgaard @ 2023-10-11 11:47 UTC (permalink / raw)
To: buildroot; +Cc: Anisse Astier, Christian Stewart
Fixes CVE-2023-39325: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and immediately
resets them can cause excessive server resource consumption. While the
total number of requests is bounded to the http2.Server.MaxConcurrentStreams
setting, resetting an in-progress request allows the attacker to create a
new request while the existing one is still executing.
go1.21.3 (released 2023-10-10) includes a security fix to the net/http
package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/go/go.hash | 2 +-
package/go/go.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/go/go.hash b/package/go/go.hash
index a2ec6b5923..9499f50964 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@
# From https://go.dev/dl
-sha256 45e59de173baec39481854490d665b726cec3e5b159f6b4172e5ec7780b2c201 go1.21.2.src.tar.gz
+sha256 186f2b6f8c8b704e696821b09ab2041a5c1ee13dcbc3156a13adcf75931ee488 go1.21.3.src.tar.gz
sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index 2c32e90817..ef27f32835 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GO_VERSION = 1.21.2
+GO_VERSION = 1.21.3
GO_SITE = https://storage.googleapis.com/golang
GO_SOURCE = go$(GO_VERSION).src.tar.gz
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/go: security bump to version 1.21.3
2023-10-11 11:47 [Buildroot] [PATCH] package/go: security bump to version 1.21.3 Peter Korsgaard
@ 2023-10-11 20:02 ` Christian Stewart via buildroot
2023-10-12 14:38 ` Peter Korsgaard
2023-10-13 18:44 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Christian Stewart via buildroot @ 2023-10-11 20:02 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Anisse Astier, buildroot
Hi Peter,
On Wed, Oct 11, 2023 at 4:47 AM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> Fixes CVE-2023-39325: rapid stream resets can cause excessive work
>
> A malicious HTTP/2 client which rapidly creates requests and immediately
> resets them can cause excessive server resource consumption. While the
> total number of requests is bounded to the http2.Server.MaxConcurrentStreams
> setting, resetting an in-progress request allows the attacker to create a
> new request while the existing one is still executing.
>
> go1.21.3 (released 2023-10-10) includes a security fix to the net/http
> package.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/go/go.hash | 2 +-
> package/go/go.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/go/go.hash b/package/go/go.hash
> index a2ec6b5923..9499f50964 100644
> --- a/package/go/go.hash
> +++ b/package/go/go.hash
> @@ -1,3 +1,3 @@
> # From https://go.dev/dl
> -sha256 45e59de173baec39481854490d665b726cec3e5b159f6b4172e5ec7780b2c201 go1.21.2.src.tar.gz
> +sha256 186f2b6f8c8b704e696821b09ab2041a5c1ee13dcbc3156a13adcf75931ee488 go1.21.3.src.tar.gz
> sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE
> diff --git a/package/go/go.mk b/package/go/go.mk
> index 2c32e90817..ef27f32835 100644
> --- a/package/go/go.mk
> +++ b/package/go/go.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -GO_VERSION = 1.21.2
> +GO_VERSION = 1.21.3
> GO_SITE = https://storage.googleapis.com/golang
> GO_SOURCE = go$(GO_VERSION).src.tar.gz
Reviewed-by: Christian Stewart <christian@aperture.us>
Thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/go: security bump to version 1.21.3
2023-10-11 11:47 [Buildroot] [PATCH] package/go: security bump to version 1.21.3 Peter Korsgaard
2023-10-11 20:02 ` Christian Stewart via buildroot
@ 2023-10-12 14:38 ` Peter Korsgaard
2023-10-13 18:44 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2023-10-12 14:38 UTC (permalink / raw)
To: buildroot; +Cc: Anisse Astier, Christian Stewart
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2023-39325: rapid stream resets can cause excessive work
> A malicious HTTP/2 client which rapidly creates requests and immediately
> resets them can cause excessive server resource consumption. While the
> total number of requests is bounded to the http2.Server.MaxConcurrentStreams
> setting, resetting an in-progress request allows the attacker to create a
> new request while the existing one is still executing.
> go1.21.3 (released 2023-10-10) includes a security fix to the net/http
> package.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/go: security bump to version 1.21.3
2023-10-11 11:47 [Buildroot] [PATCH] package/go: security bump to version 1.21.3 Peter Korsgaard
2023-10-11 20:02 ` Christian Stewart via buildroot
2023-10-12 14:38 ` Peter Korsgaard
@ 2023-10-13 18:44 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2023-10-13 18:44 UTC (permalink / raw)
To: buildroot; +Cc: Anisse Astier, Christian Stewart
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2023-39325: rapid stream resets can cause excessive work
> A malicious HTTP/2 client which rapidly creates requests and immediately
> resets them can cause excessive server resource consumption. While the
> total number of requests is bounded to the http2.Server.MaxConcurrentStreams
> setting, resetting an in-progress request allows the attacker to create a
> new request while the existing one is still executing.
> go1.21.3 (released 2023-10-10) includes a security fix to the net/http
> package.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For 2023.02.x and 2023.08.x I have instead bumped to 1.20.10 which
contains the same fix.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-10-13 18:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-11 11:47 [Buildroot] [PATCH] package/go: security bump to version 1.21.3 Peter Korsgaard
2023-10-11 20:02 ` Christian Stewart via buildroot
2023-10-12 14:38 ` Peter Korsgaard
2023-10-13 18:44 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox