An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request’s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 10 | all | golang-1.11 | <= 1.11.6-1+deb10u4 | golang-1.11_1.11.6-1+deb10u4_all.deb |
Debian | 11 | all | golang-1.15 | <= 1.15.15-1~deb11u4 | golang-1.15_1.15.15-1~deb11u4_all.deb |
Debian | 12 | all | golang-1.19 | <= 1.19.8-2 | golang-1.19_1.19.8-2_all.deb |
Debian | 999 | all | golang-1.21 | < 1.21.9-1 | golang-1.21_1.21.9-1_all.deb |
Debian | 13 | all | golang-1.21 | < 1.21.9-1 | golang-1.21_1.21.9-1_all.deb |
Debian | 999 | all | golang-1.22 | < 1.22.2-1 | golang-1.22_1.22.2-1_all.deb |
Debian | 13 | all | golang-1.22 | < 1.22.2-1 | golang-1.22_1.22.2-1_all.deb |
Debian | 12 | all | golang-golang-x-net | <= 1:0.7.0+dfsg-1 | golang-golang-x-net_1:0.7.0+dfsg-1_all.deb |
Debian | 11 | all | golang-golang-x-net | <= 1:0.0+git20210119.5f4716e+dfsg-4 | golang-golang-x-net_1:0.0+git20210119.5f4716e+dfsg-4_all.deb |
Debian | 999 | all | golang-golang-x-net | < 1:0.23.0+dfsg-1 | golang-golang-x-net_1:0.23.0+dfsg-1_all.deb |