From 2cd81b394014784497449c8355c8e2b1b695ce81 Mon Sep 17 00:00:00 2001 From: hanchao Date: Wed, 19 Jan 2022 14:17:15 +0800 Subject: [PATCH] fix CVE-2021-44716 Signed-off-by: hanchao --- ...o1.16-net-http-update-bundled-golang.patch | 50 +++++++++++++++++++ golang.spec | 6 ++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 0055-release-branch.go1.16-net-http-update-bundled-golang.patch diff --git a/0055-release-branch.go1.16-net-http-update-bundled-golang.patch b/0055-release-branch.go1.16-net-http-update-bundled-golang.patch new file mode 100644 index 0000000..4436b9e --- /dev/null +++ b/0055-release-branch.go1.16-net-http-update-bundled-golang.patch @@ -0,0 +1,50 @@ +From 97b9a8c1e595e2527654e8e4124e4ebc048548a2 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda +Date: Wed, 19 Jan 2022 11:31:33 +0800 +Subject: [PATCH] [release-branch.go1.16] net/http: update bundled + golang.org/x/net/http2 + +Pull in security fix + + a5309b3 http2: cap the size of the server's canonical header cache + +Updates #50058 +Fixes CVE-2021-44716 + +Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9 +Reviewed-on: https://go-review.googlesource.com/c/go/+/370575 +Trust: Filippo Valsorda +Run-TryBot: Filippo Valsorda +Reviewed-by: Alex Rakoczy +TryBot-Result: Gopher Robot + +Conflict:NA +Reference:https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a +--- + src/net/http/h2_bundle.go | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index 3d83084..06f8808 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -4289,7 +4289,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string { + sc.canonHeader = make(map[string]string) + } + cv = CanonicalHeaderKey(v) +- sc.canonHeader[v] = cv ++ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of ++ // entries in the canonHeader cache. This should be larger than the number ++ // of unique, uncommon header keys likely to be sent by the peer, while not ++ // so high as to permit unreaasonable memory usage if the peer sends an unbounded ++ // number of unique header keys. ++ const maxCachedCanonicalHeaders = 32 ++ if len(sc.canonHeader) < maxCachedCanonicalHeaders { ++ sc.canonHeader[v] = cv ++ } + return cv + } + +-- +2.30.0 + diff --git a/golang.spec b/golang.spec index f90b2f2..a934384 100644 --- a/golang.spec +++ b/golang.spec @@ -62,7 +62,7 @@ Name: golang Version: 1.15.7 -Release: 6 +Release: 7 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -200,6 +200,7 @@ Patch6051: 0051-net-reject-leading-zeros-in-IP-address-parsers.patch Patch6052: 0052-release-branch.go1.16-misc-wasm-cmd-link-do-not-let-.patch Patch6053: 0053-net-http-httputil-close-incoming-ReverseProxy-reques.patch Patch6054: 0054-release-branch.go1.16-debug-macho-fail-on-invalid-dy.patch +Patch6055: 0055-release-branch.go1.16-net-http-update-bundled-golang.patch Patch9001: 0001-drop-hard-code-cert.patch @@ -433,6 +434,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Wed Jan 19 2022 hanchao - 1.15.7-7 +- fix CVE-2021-44716 + * Thu Nov 16 2021 chenjiankun - 1.15.7-6 - fix CVE-2021-41771 -- Gitee