XiaoYou201 opened a new pull request, #10163:
URL: https://github.com/apache/inlong/pull/10163
### Prepare a Pull Request
- [INLONG-10162][DataProxy] Upgrade golang.org/x/net to version 0.23.0
- Fixes #10162
### Motivation
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header
data by sending an excessive number of CONTINUATION frames. Maintaining HPACK
state requires parsing and processing all HEADERS and CONTINUATION frames on a
connection. When a request's headers exceed MaxHeaderBytes, no memory is
allocated to store the excess headers, but they are still parsed. This permits
an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header
data, all associated with a request which is going to be rejected. These
headers can include Huffman-encoded data which is significantly more expensive
for the receiver to decode than for an attacker to send. The fix sets a limit
on the amount of excess header frames we will process before closing a
connection.
CVE-2023-45288
### Modifications
golang.org/x/net is bumped to v0.23.0 to address CVE-2023-45288
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@inlong.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
