=====================================================================

                                  CERT-Renater

                       Note d'Information No. 2024/VULN178
_____________________________________________________________________

DATE                : 08/04/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Go versions prior to 1.22.2,
                                         1.21.9.

=====================================================================
https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
_____________________________________________________________________


Hello gophers,

We have just released Go versions 1.22.2 and 1.21.9, minor point
releases.

These minor releases include 1 security fixes following the security
policy:

     http2: close connections when receiving too many headers

     Maintaining HPACK state requires that we parse and process all
HEADERS and CONTINUATION frames on a connection. When a request's
headers exceed MaxHeaderBytes, we don't allocate memory to store the
excess headers but we do parse them. This permits an attacker to
cause an HTTP/2 endpoint to read arbitrary amounts of header data,
all associated with a request which is going to be rejected. These
headers can include Huffman-encoded data which is significantly more
expensive for the receiver to decode than for an attacker to send.

     Set a limit on the amount of excess header frames we will
process before closing a connection.

     Thanks to Bartek Nowotarski (https://nowotarski.info/) for
reporting this issue.

     This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.2

You can download binary and source distributions from the Go website:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
git checkout go1.22.2 and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Than and Dmitri for the Go team


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================