net / http:HTTP / 2实现中的拒绝服务漏洞
接受来自不受信任客户端的直接连接的net / http和golang.org/x/net/http2服务器可以远程进行分配无限量的内存,直到程序崩溃。如果发送队列累积了太多控制消息,服务器现在将关闭连接。
问题是CVE-2019-9512和CVE-2019-9514,以及Go问题golang.org/issue/33606。
感谢Netflix的Jonathan Looney发现并报告了这些问题。
golang.org/x/net/http2版本v0.0.0-20190813141303-74dc4d7220e7中也修复了此问题。
net / url:解析验证问题
url.Parse将接受具有格式错误的主机的URL,这样Host字段可以具有任意后缀,该后缀既不会出现在Hostname()也不会出现在Port()中,从而允许在某些应用程序中绕过授权。请注意,具有无效而非数字端口的URL现在将从url.Parse返回错误。
问题是CVE-2019-14809和Go问题golang.org/issue/29098。
感谢来自Cure53的Julian Hector和Nikolai Kerin以及Adi Cohen(adico.me)发现和报告此问题。
原文:
net/http: Denial of Service vulnerabilities in the HTTP/2 implementation
net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.
The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.
This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.
net/url: parsing validation issue
url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse.
The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering and reporting this issue.