A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487.
Adding package dev-lang/go to the title and its maintainer to CC…
Bumping dev-lang/go to 1.21.3 and 1.20.10 is enough to fix the issue according to https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo .
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94aaf10bbb97211efdffb001a4be8852cd65d6ff commit 94aaf10bbb97211efdffb001a4be8852cd65d6ff Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2023-10-17 17:53:17 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2023-10-17 17:53:27 +0000 dev-lang/go: add 1.21.3 Bug: https://bugs.gentoo.org/915555 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.21.3.ebuild | 210 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 211 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d31735413519485d5f4f0c1fde48a41f6820059 commit 4d31735413519485d5f4f0c1fde48a41f6820059 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2023-10-17 17:52:05 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2023-10-17 17:53:27 +0000 dev-lang/go: add 1.20.10 Bug: https://bugs.gentoo.org/915555 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.20.10.ebuild | 210 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 211 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7f1e599c82e7f7f6b21bf1127d01d7dfa903e21c commit 7f1e599c82e7f7f6b21bf1127d01d7dfa903e21c Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-11-25 08:56:49 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-11-25 08:57:21 +0000 [ GLSA 202311-09 ] Go: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/873637 Bug: https://bugs.gentoo.org/883783 Bug: https://bugs.gentoo.org/894478 Bug: https://bugs.gentoo.org/903979 Bug: https://bugs.gentoo.org/908255 Bug: https://bugs.gentoo.org/915555 Bug: https://bugs.gentoo.org/916494 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202311-09.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+)