mirror of https://github.com/docker/buildx.git
7f1eaa2a8a
full diff: https://github.com/golang/net/compare/v0.22.0...v0.23.0 Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2 and go1.21.9; > http2: close connections when receiving too many headers > > Maintaining HPACK state requires that we parse and process > all HEADERS and CONTINUATION frames on a connection. > When a request's headers exceed MaxHeaderBytes, we don't > allocate memory to store the excess headers but we do > parse them. This permits an attacker to cause an HTTP/2 > endpoint to read arbitrary amounts of data, all associated > with a request which is going to be rejected. > > Set a limit on the amount of excess header frames we > will process before closing a connection. > > Thanks to Bartek Nowotarski for reporting this issue. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> |
||
|---|---|---|
| .. | ||
| github.com | ||
| go.opentelemetry.io | ||
| golang.org/x | ||
| google.golang.org | ||
| gopkg.in | ||
| k8s.io | ||
| sigs.k8s.io | ||
| modules.txt | ||