Skip to content

Commit

Permalink
fix(deps): update module golang.org/x/net to v0.17.0 [security]
Browse files Browse the repository at this point in the history
A malicious HTTP/2 client which rapidly creates requests and immediately resets them
can cause excessive server resource consumption. While the total number of requests
is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an
in-progress request allows the attacker to create a new request while the existing
one is still executing.

With the fix applied, HTTP/2 servers now bound the number of simultaneously
executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams).
New requests arriving when at the limit (which can only happen after the client has
reset an existing, in-flight request) will be queued until a handler exits. If the
request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually configuring
HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2
connection. This value may be adjusted using the golang.org/x/net/http2 package; see
the Server.MaxConcurrentStreams setting and the ConfigureServer function

Signed-off-by: André Martins <andre@cilium.io>
  • Loading branch information
aanm committed Oct 12, 2023
1 parent aff7ede commit b7da3c4
Show file tree
Hide file tree
Showing 173 changed files with 21,911 additions and 6,780 deletions.
10 changes: 5 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -82,11 +82,11 @@ require (
go.uber.org/goleak v1.2.0
go.uber.org/multierr v1.8.0
go.universe.tf/metallb v0.11.0
golang.org/x/crypto v0.1.0
golang.org/x/crypto v0.14.0
golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53
golang.org/x/net v0.9.0
golang.org/x/net v0.17.0
golang.org/x/sync v0.1.0
golang.org/x/sys v0.7.0
golang.org/x/sys v0.13.0
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
golang.org/x/tools v0.7.0
golang.zx2c4.com/wireguard v0.0.0-20211017052713-f87e87af0d9a
Expand Down Expand Up @@ -217,8 +217,8 @@ require (
go.uber.org/zap v1.19.1 // indirect
golang.org/x/mod v0.9.0 // indirect
golang.org/x/oauth2 v0.7.0 // indirect
golang.org/x/term v0.7.0 // indirect
golang.org/x/text v0.9.0 // indirect
golang.org/x/term v0.13.0 // indirect
golang.org/x/text v0.13.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
Expand Down
20 changes: 10 additions & 10 deletions go.sum

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions vendor/golang.org/x/crypto/chacha20/chacha_arm64.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions vendor/golang.org/x/crypto/chacha20/chacha_arm64.s

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions vendor/golang.org/x/crypto/chacha20/chacha_noasm.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

99 changes: 6 additions & 93 deletions vendor/golang.org/x/crypto/curve25519/curve25519.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

105 changes: 105 additions & 0 deletions vendor/golang.org/x/crypto/curve25519/curve25519_compat.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

46 changes: 46 additions & 0 deletions vendor/golang.org/x/crypto/curve25519/curve25519_go120.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit b7da3c4

Please sign in to comment.