net/http, x/net/http2: Denial of Service vulnerabilities in the HTTP/2 implementation #33606
Labels
Comments
dmitshur
changed the title
|
@gopherbot Please backport this to 1.12 and 1.11. This was a security problem. |
This was referenced Aug 13, 2019
Closed
|
Backport issue(s) opened: #33630 (for 1.11), #33631 (for 1.12). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Aug 13, 2019
…er send queue An attacker could cause servers to queue an unlimited number of PING ACKs or RST_STREAM frames by soliciting them and not reading them, until the program runs out of memory. Limit control frames in the queue to a few thousands (matching the limit imposed by other vendors) by counting as they enter and exit the scheduler, so the protection will work with any WriteScheduler. Once the limit is exceeded, close the connection, as we have no way to communicate with the peer. This addresses CVE-2019-9512 and CVE-2019-9514. Updates golang/go#33606 Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552 Reviewed-by: Brad Fitzpatrick <[email protected]> (cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526069 Reviewed-by: Dmitri Shuralyov <[email protected]>
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Aug 13, 2019
…er send queue An attacker could cause servers to queue an unlimited number of PING ACKs or RST_STREAM frames by soliciting them and not reading them, until the program runs out of memory. Limit control frames in the queue to a few thousands (matching the limit imposed by other vendors) by counting as they enter and exit the scheduler, so the protection will work with any WriteScheduler. Once the limit is exceeded, close the connection, as we have no way to communicate with the peer. This addresses CVE-2019-9512 and CVE-2019-9514. Updates golang/go#33606 Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552 Reviewed-by: Brad Fitzpatrick <[email protected]> (cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526070 Reviewed-by: Dmitri Shuralyov <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Aug 13, 2019
…port security fix
Apply the following unpublished golang.org/x/net commit.
commit b1cc14aba47abf96f96818003fa4caad3a4b4e86
Author: Filippo Valsorda <[email protected]>
Date: Sun Aug 11 02:12:18 2019 -0400
[release-branch.go1.11] http2: limit number of control frames in server send queue
An attacker could cause servers to queue an unlimited number of PING
ACKs or RST_STREAM frames by soliciting them and not reading them, until
the program runs out of memory.
Limit control frames in the queue to a few thousands (matching the limit
imposed by other vendors) by counting as they enter and exit the scheduler,
so the protection will work with any WriteScheduler.
Once the limit is exceeded, close the connection, as we have no way to
communicate with the peer.
Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
Reviewed-by: Brad Fitzpatrick <[email protected]>
(cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526070
Reviewed-by: Dmitri Shuralyov <[email protected]>
Fixes CVE-2019-9512 and CVE-2019-9514
Updates #33606
Change-Id: Iecedf1cc63ec7a1cd75661ec591d91ebc911cc64
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526072
Reviewed-by: Dmitri Shuralyov <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Aug 13, 2019
…port security fix
Apply the following unpublished golang.org/x/net commit.
commit cdfb69ac37fc6fa907650654115ebebb3aae2087
Author: Filippo Valsorda <[email protected]>
Date: Sun Aug 11 02:12:18 2019 -0400
[release-branch.go1.12] http2: limit number of control frames in server send queue
An attacker could cause servers to queue an unlimited number of PING
ACKs or RST_STREAM frames by soliciting them and not reading them, until
the program runs out of memory.
Limit control frames in the queue to a few thousands (matching the limit
imposed by other vendors) by counting as they enter and exit the scheduler,
so the protection will work with any WriteScheduler.
Once the limit is exceeded, close the connection, as we have no way to
communicate with the peer.
Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
Reviewed-by: Brad Fitzpatrick <[email protected]>
(cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526069
Reviewed-by: Dmitri Shuralyov <[email protected]>
Fixes CVE-2019-9512 and CVE-2019-9514
Updates #33606
Change-Id: I282b3e0fa22422d9ea0d07f4a3935685ce4a7433
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526071
Reviewed-by: Dmitri Shuralyov <[email protected]>
|
Change https://golang.org/cl/190137 mentions this issue: |
dmitshur
changed the title
mvladev
pushed a commit
to mvladev/gardener
that referenced
this issue
Aug 14, 2019
rfranzke
pushed a commit
to gardener/gardener
that referenced
this issue
Aug 14, 2019
https://groups.google.com/forum/#!topic/golang-nuts/fCQWxqxP8aA golang/go#33606 ```noteworthy developer The golang version has been updated to `1.12.8` (fixing `CVE-2019-9512` and `CVE-2019-9514`). ```
artyom
added a commit
to artyom/tlstun
that referenced
this issue
Aug 14, 2019
Addresses golang/go#33606
This was referenced Aug 16, 2019
|
Change https://golang.org/cl/191618 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 23, 2019
Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import
the following security fix.
commit 74dc4d7220e7acc4e100824340f3e66577424772
Author: Filippo Valsorda <[email protected]>
Date: Sun Aug 11 02:12:18 2019 -0400
http2: limit number of control frames in server send queue
An attacker could cause servers to queue an unlimited number of PING
ACKs or RST_STREAM frames by soliciting them and not reading them, until
the program runs out of memory.
Limit control frames in the queue to a few thousands (matching the limit
imposed by other vendors) by counting as they enter and exit the scheduler,
so the protection will work with any WriteScheduler.
Once the limit is exceeded, close the connection, as we have no way to
communicate with the peer.
Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
Reviewed-by: Brad Fitzpatrick <[email protected]>
This change was generated with cmd/go and cmd/bundle:
$ go get -u golang.org/x/net
$ go mod tidy
$ go mod vendor
$ go generate net/http
Fixes CVE-2019-9512 and CVE-2019-9514
Fixes #33606
Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/190137
Reviewed-by: Dmitri Shuralyov <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Aug 23, 2019
…p2 to import security fix
Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import
the following security fix.
commit 74dc4d7220e7acc4e100824340f3e66577424772
Author: Filippo Valsorda <[email protected]>
Date: Sun Aug 11 02:12:18 2019 -0400
http2: limit number of control frames in server send queue
An attacker could cause servers to queue an unlimited number of PING
ACKs or RST_STREAM frames by soliciting them and not reading them, until
the program runs out of memory.
Limit control frames in the queue to a few thousands (matching the limit
imposed by other vendors) by counting as they enter and exit the scheduler,
so the protection will work with any WriteScheduler.
Once the limit is exceeded, close the connection, as we have no way to
communicate with the peer.
Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
Reviewed-by: Brad Fitzpatrick <[email protected]>
This change was generated with cmd/go and cmd/bundle:
$ go get -u golang.org/x/net
$ go mod tidy
$ go mod vendor
$ go generate net/http
Fixes CVE-2019-9512 and CVE-2019-9514
Fixes #33606
Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/190137
Reviewed-by: Dmitri Shuralyov <[email protected]>
(cherry picked from commit 145e193)
Reviewed-on: https://go-review.googlesource.com/c/go/+/191618
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
t4n6a1ka
pushed a commit
to t4n6a1ka/go
that referenced
this issue
Sep 5, 2019
Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import
the following security fix.
commit 74dc4d7220e7acc4e100824340f3e66577424772
Author: Filippo Valsorda <[email protected]>
Date: Sun Aug 11 02:12:18 2019 -0400
http2: limit number of control frames in server send queue
An attacker could cause servers to queue an unlimited number of PING
ACKs or RST_STREAM frames by soliciting them and not reading them, until
the program runs out of memory.
Limit control frames in the queue to a few thousands (matching the limit
imposed by other vendors) by counting as they enter and exit the scheduler,
so the protection will work with any WriteScheduler.
Once the limit is exceeded, close the connection, as we have no way to
communicate with the peer.
Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
Reviewed-by: Brad Fitzpatrick <[email protected]>
This change was generated with cmd/go and cmd/bundle:
$ go get -u golang.org/x/net
$ go mod tidy
$ go mod vendor
$ go generate net/http
Fixes CVE-2019-9512 and CVE-2019-9514
Fixes golang#33606
Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/190137
Reviewed-by: Dmitri Shuralyov <[email protected]>
dteh
pushed a commit
to dteh/fhttp
that referenced
this issue
Jun 22, 2022
An attacker could cause servers to queue an unlimited number of PING ACKs or RST_STREAM frames by soliciting them and not reading them, until the program runs out of memory. Limit control frames in the queue to a few thousands (matching the limit imposed by other vendors) by counting as they enter and exit the scheduler, so the protection will work with any WriteScheduler. Once the limit is exceeded, close the connection, as we have no way to communicate with the peer. This addresses CVE-2019-9512 and CVE-2019-9514. Fixes golang/go#33606 Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552 Reviewed-by: Brad Fitzpatrick <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
net/httpandgolang.org/x/net/http2servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.
These issues are CVE-2019-9512 and CVE-2019-9514.
The text was updated successfully, but these errors were encountered: