unboundsoftware/default-request-adder
6
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 28 Activity

[Security] Bump golang.org/x/net from 0.0.0-20190311031020-56fb01167e7d to 0.7.0 #12

Merged
argoyle merged 1 commits from dependabot-go_modules-golang.org-x-net-0.7.0 into master 2023-05-09 05:32:13 +00:00
Conversation 1 Commits 1 Files Changed 2
+9 -4
argoyle commented 2023-05-08 18:37:22 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps golang.org/x/net from 0.0.0-20190311031020-56fb01167e7d to 0.7.0. This update includes security fixes.

Vulnerabilities fixed

Uncontrolled Resource Consumption A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

Patched versions: 0.7.0 Affected versions: < 0.7.0

golang.org/x/net/http2 Denial of Service vulnerability In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Patched versions: 0.0.0-20220906165146-f3363e06e74c Affected versions: < 0.0.0-20220906165146-f3363e06e74c

golang.org/x/net/html Infinite Loop vulnerability Go through 1.15.12 and 1.16.x through 1.16.4 has a golang.org/x/net/html infinite loop via crafted ParseFragment input.

Patched versions: 0.0.0-20210520170846-37e1c6afe023 Affected versions: < 0.0.0-20210520170846-37e1c6afe023

golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Patched versions: 0.0.0-20210428140749-89ef3d95e781 Affected versions: < 0.0.0-20210428140749-89ef3d95e781

golang.org/x/net/http vulnerable to ping floods Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Patched versions: 0.0.0-20190813141303-74dc4d7220e7 Affected versions: < 0.0.0-20190813141303-74dc4d7220e7

golang.org/x/net/http vulnerable to a reset flood Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Patched versions: 0.0.0-20190813141303-74dc4d7220e7 Affected versions: < 0.0.0-20190813141303-74dc4d7220e7

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20190311031020-56fb01167e7d to 0.7.0. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Uncontrolled Resource Consumption</strong> A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.</p> <p>Patched versions: 0.7.0 Affected versions: &lt; 0.7.0</p> </blockquote> <blockquote> <p><strong>golang.org/x/net/http2 Denial of Service vulnerability</strong> In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.</p> <p>Patched versions: 0.0.0-20220906165146-f3363e06e74c Affected versions: &lt; 0.0.0-20220906165146-f3363e06e74c</p> </blockquote> <blockquote> <p><strong>golang.org/x/net/html Infinite Loop vulnerability</strong> Go through 1.15.12 and 1.16.x through 1.16.4 has a golang.org/x/net/html infinite loop via crafted ParseFragment input.</p> <p>Patched versions: 0.0.0-20210520170846-37e1c6afe023 Affected versions: &lt; 0.0.0-20210520170846-37e1c6afe023</p> </blockquote> <blockquote> <p><strong>golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion</strong> net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.</p> <p>Patched versions: 0.0.0-20210428140749-89ef3d95e781 Affected versions: &lt; 0.0.0-20210428140749-89ef3d95e781</p> </blockquote> <blockquote> <p><strong>golang.org/x/net/http vulnerable to ping floods</strong> Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.</p> <p>Patched versions: 0.0.0-20190813141303-74dc4d7220e7 Affected versions: &lt; 0.0.0-20190813141303-74dc4d7220e7</p> </blockquote> <blockquote> <p><strong>golang.org/x/net/http vulnerable to a reset flood</strong> Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.</p> <p>Patched versions: 0.0.0-20190813141303-74dc4d7220e7 Affected versions: &lt; 0.0.0-20190813141303-74dc4d7220e7</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/golang/net/commits/v0.7.0">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2023-05-09 05:26:03 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 3 commits

  • 77e39186...9c63d00b - 2 commits from branch master
  • 8e9a06fb - [Security] Bump golang.org/x/net

Compare with previous version

added 3 commits <ul><li>77e39186...9c63d00b - 2 commits from branch <code>master</code></li><li>8e9a06fb - [Security] Bump golang.org/x/net</li></ul> [Compare with previous version](/unboundsoftware/default-request-adder/-/merge_requests/9/diffs?diff_id=675548646&start_sha=77e3918687e88991af145fbd8a0616d60d247360)
argoyle (Migrated from gitlab.com) scheduled this pull request to auto merge when all checks succeed 2023-05-09 05:26:46 +00:00
argoyle (Migrated from gitlab.com) merged commit into master 2023-05-09 05:32:13 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
go
security
Pull requests that address a security vulnerability
 severity:moderate
No Label dependencies go security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) peter releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unboundsoftware/default-request-adder#12
Delete Branch "dependabot-go_modules-golang.org-x-net-0.7.0"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?