Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch CVE-2023-45288 #300

Merged
merged 1 commit into from
Apr 10, 2024
Merged

Conversation

ingve
Copy link
Contributor

@ingve ingve commented Apr 10, 2024

Fixes

Scanning your code and 365 packages across 70 dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.20.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: internal/server/streamparser.go:141:79: server.EntityStreamParser.ParseStream calls http2.ConnectionError.Error
      #2: internal/jobs/transform.go:510:21: jobs.JavascriptTransform.ToString calls fmt.Sprintf, which eventually calls http2.ErrCode.String
      #3: internal/jobs/transform.go:510:21: jobs.JavascriptTransform.ToString calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
      #4: internal/jobs/transform.go:510:21: jobs.JavascriptTransform.ToString calls fmt.Sprintf, which eventually calls http2.FrameType.String
      #5: internal/server/streamparser.go:141:79: server.EntityStreamParser.ParseStream calls http2.GoAwayError.Error
      #6: internal/jobs/transform.go:510:21: jobs.JavascriptTransform.ToString calls fmt.Sprintf, which eventually calls http2.Setting.String
      #7: internal/jobs/transform.go:510:21: jobs.JavascriptTransform.ToString calls fmt.Sprintf, which eventually calls http2.SettingID.String
      #8: internal/server/streamparser.go:141:79: server.EntityStreamParser.ParseStream calls http2.StreamError.Error
      #9: internal/jobs/source/http_dataset_source.go:97:2: source.HTTPDatasetSource.ReadEntities calls http.http2transportResponseBody.Close, which eventually calls http2.chunkWriter.Write
      #10: internal/server/streamparser.go:141:79: server.EntityStreamParser.ParseStream calls http2.connError.Error
      #11: internal/server/streamparser.go:141:79: server.EntityStreamParser.ParseStream calls http2.duplicatePseudoHeaderError.Error
      #12: internal/jobs/source/http_dataset_source.go:97:2: source.HTTPDatasetSource.ReadEntities calls http2.gzipReader.Close
      #13: internal/security/nodeprovider.go:100:24: security.NodeJwtBearerProvider.callRemoteNodeEndpoint calls io.ReadAll, which calls http2.gzipReader.Read
      #14: internal/server/streamparser.go:141:79: server.EntityStreamParser.ParseStream calls http2.headerFieldNameError.Error
      #15: internal/server/streamparser.go:141:79: server.EntityStreamParser.ParseStream calls http2.headerFieldValueError.Error
      #16: internal/server/streamparser.go:141:79: server.EntityStreamParser.ParseStream calls http2.pseudoHeaderError.Error
      #17: internal/jobs/source/http_dataset_source.go:97:2: source.HTTPDatasetSource.ReadEntities calls http.http2transportResponseBody.Close, which eventually calls http2.stickyErrWriter.Write
      #18: internal/jobs/source/http_dataset_source.go:97:2: source.HTTPDatasetSource.ReadEntities calls http2.transportResponseBody.Close
      #19: internal/security/nodeprovider.go:100:24: security.NodeJwtBearerProvider.callRemoteNodeEndpoint calls io.ReadAll, which calls http2.transportResponseBody.Read
      #20: internal/jobs/transform.go:510:21: jobs.JavascriptTransform.ToString calls fmt.Sprintf, which eventually calls http2.writeData.String

Your code is affected by 1 vulnerability from 1 module.

@ingve ingve requested a review from rompetroll April 10, 2024 05:43
@rompetroll rompetroll merged commit 0b398e4 into master Apr 10, 2024
3 checks passed
@rompetroll rompetroll deleted the chore/24-101-fix-govulncheck-vulns branch April 10, 2024 08:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants