From nobody Mon Apr 15 08:20:26 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VJ0V26Kwmz5FZC8; Mon, 15 Apr 2024 08:20:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VJ0V25mW7z4p3k; Mon, 15 Apr 2024 08:20:26 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713169226; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kb8qhgxr/ccvjOgr838Yq17Om9UgMeOAGPKKgDH57JI=; b=hKzb/OOLMx8uHts4kTczuNTp+Dz8cNBBAxQ5uswJD+2HftVbcau3ohrN5qN/kwqbZ1hHLv yxDr79ix3gdrq3vX1TakDJ+2cYZbQ2rCEhcYmV42kFjpqo7C1DimczrdOZdWVSd/8kliGH xD95SJ8SXAMqHNik+YwKszj8DepsdJbJSWvxnXSjA3nA6tWb7bCpzZkMkYvAJh6QoSmpTg 7CUNZQassxBh4KlhhIeGqyxf+wHW5Me+HzAdINc8Wj7qrqbC7YKIaHsTvEByVkjHAuMa8z CZBfJbtplV9MxO6aYFFvoG+wOxaJdo/CxYJ5IDTCmvL3z9avLKWn9eKmdqPOyg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1713169226; a=rsa-sha256; cv=none; b=w02r/BNoU5S+70Jn2uVPbLq5M/ET3h4IpShIfizJGWKJkNhU+B1ieL0avW2/UE0VtHhq0U MOqHra9GjOD7vAro69s6sgLuKyZMq9AdhvmTvrkVAI2Kc8DbVDGEPU8eDMKn1quGycSvJM +vKo98YjHz/SqPdc2K8VGHKoFS1qak+Hp+jOrIaZKPVfnuC0P0a5MLL/Z4EUi47763zYI6 eGgZlsmo3aPsgPX/WA3FnGTr84ToUgzN3TxchPUmIy9cKghoLkPN62p5/lUmLaH02FA08/ kThcEcqZBO3WlTKMxKfR184+1HimWZYe+hBf22B8V5p7sUHccYFS3qrPn3hvRQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713169226; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kb8qhgxr/ccvjOgr838Yq17Om9UgMeOAGPKKgDH57JI=; b=PXE9XfqbAKFhwoeQkxJW8WyKfQLAzAID/x3aZ5HKzy0HEeVh9rm7LfBxDeP9gBmfh+USIi Uyf0o8OtYOHCkDPCFomYe5ahnFu7VkLEbBFeHyqxrS5zhnkcDn8FEwHawhZzyldjhnGTPM F3ZNSJ7kKMsSRXyVe67fnJoeNwo8e0RzyCppfSX+adHB2Wr7PHzpaHtgHFigCTHW6vtpet Af2zRz1V4V+VWTu8x2/3S1oCNZeXVsTgZC9zDeBQpQMH51GzE4S8VhH0AstzBxH7dG6vgl 6eIXowNADkgdjaq8u0hrnCq1hbqJET7pyXeEyMqgQXrWD9hc/zqLpSo6kNJsbw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VJ0V25ML9zrhY; Mon, 15 Apr 2024 08:20:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43F8KQVd083604; Mon, 15 Apr 2024 08:20:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43F8KQ9j083601; Mon, 15 Apr 2024 08:20:26 GMT (envelope-from git) Date: Mon, 15 Apr 2024 08:20:26 GMT Message-Id: <202404150820.43F8KQ9j083601@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Ashish SHUKLA Subject: git: 5d3ca8689dec - main - security/vuxml: Document go language vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ashish X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 5d3ca8689dec53ee7ced0bcaf2ed2715f25c957b Auto-Submitted: auto-generated The branch main has been updated by ashish: URL: https://cgit.FreeBSD.org/ports/commit/?id=5d3ca8689dec53ee7ced0bcaf2ed2715f25c957b commit 5d3ca8689dec53ee7ced0bcaf2ed2715f25c957b Author: Ashish SHUKLA AuthorDate: 2024-04-15 07:55:09 +0000 Commit: Ashish SHUKLA CommitDate: 2024-04-15 08:20:02 +0000 security/vuxml: Document go language vulnerabilities --- security/vuxml/vuln/2024.xml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index fce127179d44..3998dd2adcff 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,43 @@ + + go -- http2: close connections when receiving too many headers + + + go122 + 1.22.2 + + + go121 + 1.21.9 + + + + +

The Go project reports:

+
+

http2: close connections when receiving too many headers

+

Maintaining HPACK state requires that we parse and + process all HEADERS and CONTINUATION frames on a + connection. When a request's headers exceed MaxHeaderBytes, + we don't allocate memory to store the excess headers but we + do parse them. This permits an attacker to cause an HTTP/2 + endpoint to read arbitrary amounts of header data, all + associated with a request which is going to be + rejected. These headers can include Huffman-encoded data + which is significantly more expensive for the receiver to + decode than for an attacker to send.

+
+ +
+ + CVE-2023-45288 + https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M/m/khALNYGdAAAJ + + + 2024-04-03 + 2024-04-15 + +
+ chromium -- multiple security fixes