Bug 1206135 (CVE-2022-41717) - VUL-0: CVE-2022-41717: go1.18,go1.19: net/http: limit canonical header cache by bytes, not entries
Summary: VUL-0: CVE-2022-41717: go1.18,go1.19: net/http: limit canonical header cache ...
Status: RESOLVED FIXED
Alias: CVE-2022-41717
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/349978/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-07 07:47 UTC by Jeff Kowalczyk
Modified: 2024-05-03 09:18 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2022-12-07 07:47:05 UTC 
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users manually configuring HTTP/2.

Thanks to Josselin Costanzi for reporting this issue.

This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.
Comment 1 OBSbugzilla Bot 2022-12-07 21:45:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1206135) was mentioned in
https://build.opensuse.org/request/show/1041234 Factory / go1.18
https://build.opensuse.org/request/show/1041235 Factory / go1.19
Comment 3 Swamp Workflow Management 2022-12-09 20:21:18 UTC 
SUSE-SU-2022:4397-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1200441,1206134,1206135
CVE References: CVE-2022-41717,CVE-2022-41720
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.19-1.19.4-150000.1.18.1
openSUSE Leap 15.3 (src):    go1.19-1.19.4-150000.1.18.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.19-1.19.4-150000.1.18.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.19-1.19.4-150000.1.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2022-12-09 20:22:13 UTC 
SUSE-SU-2022:4398-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1193742,1206134,1206135
CVE References: CVE-2022-41717,CVE-2022-41720
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.18-1.18.9-150000.1.40.1
openSUSE Leap 15.3 (src):    go1.18-1.18.9-150000.1.40.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.18-1.18.9-150000.1.40.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.18-1.18.9-150000.1.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-05-30 08:30:07 UTC 
SUSE-SU-2023:2312-1: An update that solves 28 vulnerabilities, contains one feature and has three fixes can now be installed.

Category: security (important)
Bug References: 1183043, 1193742, 1198423, 1198424, 1198427, 1199413, 1200134, 1200135, 1200136, 1200137, 1201434, 1201436, 1201437, 1201440, 1201443, 1201444, 1201445, 1201447, 1201448, 1202035, 1203185, 1204023, 1204024, 1204025, 1204941, 1206134, 1206135, 1208270, 1208271, 1208272, 1208491
CVE References: CVE-2022-1705, CVE-2022-1962, CVE-2022-24675, CVE-2022-27536, CVE-2022-27664, CVE-2022-28131, CVE-2022-28327, CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30634, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725
Jira References: PED-1962
Sources used:
openSUSE Leap 15.4 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
openSUSE Leap 15.5 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
Development Tools Module 15-SP4 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Enterprise Storage 7.1 (src): go1.18-openssl-1.18.10.1-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Robert Frohl 2024-05-03 09:18:44 UTC 
done, closing