You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#9888 bumps the go version to 1.21.9 in CI. This is a follow-up to bump the minimum supported Go version in go mods.
Go 1.21.9 fixed the following security vulnerability:
These minor releases include 1 security fixes following the security policy:
http2: close connections when receiving too many headers
Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.
Set a limit on the amount of excess header frames we will process before closing a connection.
#9888 bumps the go version to 1.21.9 in CI. This is a follow-up to bump the minimum supported Go version in go mods.
Go 1.21.9 fixed the following security vulnerability:
The text was updated successfully, but these errors were encountered: