Hi Marta, I will take care of updating the golang to 1.22.2 witch include a fix for the CVE-2023-45288 https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b
Jose Marta Rybczynska <[email protected]> escreveu (quarta, 3/04/2024 à(s) 21:46): > Details: https://kb.cert.org/vuls/id/421644 > > Affected (amongst others): nodejs, oghttp, nghttp2, Apache httpd, go > > Multiple CVEs have been issued. > > Quoting from the description: > > HTTP allows messages to include named fields in both header and > trailer sections. These header and trailer fields are serialised as > field blocks in HTTP/2, so that they can be transmitted in multiple > fragments to the target implementation. Many HTTP/2 implementations do > not properly limit or sanitize the amount of CONTINUATION frames sent > within a single stream. An attacker that can send packets to a target > server can send a stream of CONTINUATION frames that will not be > appended to the header list in memory but will still be processed and > decoded by the server or will be appended to the header list, causing > an out of memory (OOM) crash. > > Marta > > > > -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197949): https://lists.openembedded.org/g/openembedded-core/message/197949 Mute This Topic: https://lists.openembedded.org/mt/105317551/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
