diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2023-12-27 07:14:26 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-12-29 06:02:24 -1000 |
commit | 5b55648f3142762c9563289c1b19aa3b7de27164 (patch) | |
tree | 84c021500f9fd228750b6255585af0d82e55b153 /meta/recipes-devtools/go/go-1.14.inc | |
parent | 94e9019d2f170a26206c2774381a1d183313ecaa (diff) | |
download | openembedded-core-contrib-5b55648f3142762c9563289c1b19aa3b7de27164.tar.gz |
go: Fix CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body. A malicious HTTP client can further
exploit this to cause a server to automatically read a large amount
of data (up to about 1GiB) when a handler fails to read the entire
body of a request. Chunk extensions are a little-used HTTP feature
which permit including additional metadata in a request or response
body sent using the chunked encoding. The net/http chunked encoding
reader discards this metadata. A sender can exploit this by inserting
a large metadata segment with each byte transferred. The chunk reader
now produces an error if the ratio of real body to encoded bytes grows
too small.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39326
https://security-tracker.debian.org/tracker/CVE-2023-39326
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14.inc')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14.inc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 091b778de8..b827a3606d 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -82,6 +82,7 @@ SRC_URI += "\ file://CVE-2023-24536_3.patch \ file://CVE-2023-39318.patch \ file://CVE-2023-39319.patch \ + file://CVE-2023-39326.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |