Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 915555 (CVE-2023-39325) - <dev-lang/go-{1.20.10,1.21.3}: rapid stream resets can cause excessive work
Summary: <dev-lang/go-{1.20.10,1.21.3}: rapid stream resets can cause excessive work
Status: CONFIRMED
Alias: CVE-2023-39325
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://groups.google.com/g/golang-an...
Whiteboard: A3 [glsa+ cleanup]
Keywords:
Depends on: 915900
Blocks: CVE-2023-44487
  Show dependency tree
 
Reported: 2023-10-10 17:12 UTC by Hans de Graaff
Modified: 2023-11-25 09:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2023-10-10 17:12:13 UTC
A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.

HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.

This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
This is also tracked by CVE-2023-44487.
Comment 1 Sebastian Pipping gentoo-dev 2023-10-12 13:19:00 UTC
Adding package dev-lang/go to the title and its maintainer to CC…
Comment 2 Sebastian Pipping gentoo-dev 2023-10-12 13:30:35 UTC
Bumping dev-lang/go to 1.21.3 and 1.20.10 is enough to fix the issue according to https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo .
Comment 3 Larry the Git Cow gentoo-dev 2023-10-17 17:53:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94aaf10bbb97211efdffb001a4be8852cd65d6ff

commit 94aaf10bbb97211efdffb001a4be8852cd65d6ff
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2023-10-17 17:53:17 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2023-10-17 17:53:27 +0000

    dev-lang/go: add 1.21.3
    
    Bug: https://bugs.gentoo.org/915555
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 +
 dev-lang/go/go-1.21.3.ebuild | 210 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d31735413519485d5f4f0c1fde48a41f6820059

commit 4d31735413519485d5f4f0c1fde48a41f6820059
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2023-10-17 17:52:05 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2023-10-17 17:53:27 +0000

    dev-lang/go: add 1.20.10
    
    Bug: https://bugs.gentoo.org/915555
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest          |   1 +
 dev-lang/go/go-1.20.10.ebuild | 210 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2023-11-25 08:57:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7f1e599c82e7f7f6b21bf1127d01d7dfa903e21c

commit 7f1e599c82e7f7f6b21bf1127d01d7dfa903e21c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-11-25 08:56:49 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-11-25 08:57:21 +0000

    [ GLSA 202311-09 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/873637
    Bug: https://bugs.gentoo.org/883783
    Bug: https://bugs.gentoo.org/894478
    Bug: https://bugs.gentoo.org/903979
    Bug: https://bugs.gentoo.org/908255
    Bug: https://bugs.gentoo.org/915555
    Bug: https://bugs.gentoo.org/916494
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202311-09.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)