"Hello gophers, We plan to issue Go 1.19.4 and Go 1.18.9 during US business hours on Tuesday, December 6. These minor releases include PRIVATE security fixes to the standard library."
"net/http: limit canonical header cache by bytes, not entries An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users manually configuring HTTP/2. Thanks to Josselin Costanzi for reporting this issue. This is CVE-2022-41717 and Go issue https://go.dev/issue/56350." Please bump to 1.18.9 and 1.19.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52ffb084cebe0e560a75ab2babbeb314efe1e396 commit 52ffb084cebe0e560a75ab2babbeb314efe1e396 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-12-14 19:30:57 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-12-14 19:30:57 +0000 dev-lang/go: add 1.18.9, 1.19.4 Bug: https://bugs.gentoo.org/883783 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 + dev-lang/go/go-1.18.9.ebuild | 196 +++++++++++++++++++++++++++++++++++++++++ dev-lang/go/go-1.19.4.ebuild | 201 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 399 insertions(+)
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10b509a58cd200113e58eb76f329a75533aea54f commit 10b509a58cd200113e58eb76f329a75533aea54f Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2023-01-11 16:27:57 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2023-01-11 16:28:37 +0000 dev-lang/go: drop 1.18.7, 1.19.2 Bug: https://bugs.gentoo.org/883783 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 - dev-lang/go/go-1.18.7.ebuild | 196 ----------------------------------------- dev-lang/go/go-1.19.2.ebuild | 201 ------------------------------------------- 3 files changed, 399 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7f1e599c82e7f7f6b21bf1127d01d7dfa903e21c commit 7f1e599c82e7f7f6b21bf1127d01d7dfa903e21c Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-11-25 08:56:49 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-11-25 08:57:21 +0000 [ GLSA 202311-09 ] Go: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/873637 Bug: https://bugs.gentoo.org/883783 Bug: https://bugs.gentoo.org/894478 Bug: https://bugs.gentoo.org/903979 Bug: https://bugs.gentoo.org/908255 Bug: https://bugs.gentoo.org/915555 Bug: https://bugs.gentoo.org/916494 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202311-09.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+)
