net/http: handle server errors after sending GOAWAY [1.18 backport] #53977
Assignees
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
dmitshur
added
the
CherryPickCandidate
dmitshur
changed the title
|
Since this is in Go1.18.6 milestone, added a "[1.18 backport]" suffix and a CherryPickCandidate label so this doesn't get missed during backport review, but I expect it to get approved as a security fix. |
|
@neild can we add a backport for 1.19 as well? |
joedian
added
the
CherryPickApproved
gopherbot
removed
the
CherryPickCandidate
|
Change https://go.dev/cl/428635 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Sep 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes #53977 For #54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]>
|
Closed by merging 5bc9106 to release-branch.go1.18. |
mknyszek
changed the title
|
Change https://go.dev/cl/428735 mentions this issue: |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Sep 6, 2022
The HTTP/2 server uses serverConn.goAwayCode to track whether a connection has encountered a fatal error. If an error is encountered after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the error status of the connection. Fixes an issue where a server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. Fixes CVE-2022-27664 For golang/go#53977 Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/net/+/428735 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
|
Change https://go.dev/cl/428736 mentions this issue: |
|
Change https://go.dev/cl/428737 mentions this issue: |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Sep 7, 2022
…ding GOAWAY The HTTP/2 server uses serverConn.goAwayCode to track whether a connection has encountered a fatal error. If an error is encountered after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the error status of the connection. Fixes an issue where a server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. Fixes CVE-2022-27664 For golang/go#54658 For golang/go#53977 Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/net/+/428735 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/net/+/428736 Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
|
Change https://go.dev/cl/429316 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Sep 9, 2022
…907013725-0a43f88f7ef0 Restore vendoring after go1.18.6 security release. For #53977 Change-Id: Ifff04582aa3d5fce40606265db42af3415c3c0b4 Reviewed-on: https://go-review.googlesource.com/c/go/+/429316 Reviewed-by: Carlos Amedee <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> comment out test skip from cherry pick of 5bc9106
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> comment out test skip from cherry pick of 5bc9106
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 12, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> comment out test skip from cherry pick of 5bc9106
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 14, 2022
Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 5, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: [email protected] Backported From: release-branch.go1.18 EKS Patch Source Commit: danbudris@6b7d79a Upstream Source Commit: golang@5bc9106 # Original Information Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: [email protected] Backported From: release-branch.go1.18 EKS Patch Source Commit: danbudris@6b7d79a Upstream Source Commit: golang@5bc9106 # Original Information Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: [email protected] Backported From: release-branch.go1.18 EKS Patch Source Commit: danbudris@f17d272 Upstream Source Commit: golang@5bc9106 # Original Information Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> comment out test skip from cherry pick of 5bc9106
WeiminShang
added a commit
to WeiminShang/net
that referenced
this issue
Nov 16, 2022
The HTTP/2 server uses serverConn.goAwayCode to track whether a connection has encountered a fatal error. If an error is encountered after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the error status of the connection. Fixes an issue where a server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. Fixes CVE-2022-27664 For golang/go#53977 Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/net/+/428735 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this.
This was a PRIVATE issue for CVE-2022-27664 tracked in http://b/219507101 and fixed by http://tg/1413887.
The text was updated successfully, but these errors were encountered: