1
0
mirror of https://github.com/golang/go synced 2024-11-18 22:44:48 -07:00
go/src/vendor
Filippo Valsorda 145e193131 net/http: update bundled golang.org/x/net/http2 to import security fix
Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import
the following security fix.

    commit 74dc4d7220e7acc4e100824340f3e66577424772
    Author: Filippo Valsorda <filippo@golang.org>
    Date:   Sun Aug 11 02:12:18 2019 -0400

    http2: limit number of control frames in server send queue

    An attacker could cause servers to queue an unlimited number of PING
    ACKs or RST_STREAM frames by soliciting them and not reading them, until
    the program runs out of memory.

    Limit control frames in the queue to a few thousands (matching the limit
    imposed by other vendors) by counting as they enter and exit the scheduler,
    so the protection will work with any WriteScheduler.

    Once the limit is exceeded, close the connection, as we have no way to
    communicate with the peer.

    Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
    Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>

This change was generated with cmd/go and cmd/bundle:

$ go get -u golang.org/x/net
$ go mod tidy
$ go mod vendor
$ go generate net/http

Fixes CVE-2019-9512 and CVE-2019-9514
Fixes #33606

Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/190137
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
2019-08-23 17:03:17 +00:00
..
golang.org/x net/http: update bundled golang.org/x/net/http2 to import security fix 2019-08-23 17:03:17 +00:00
modules.txt net/http: update bundled golang.org/x/net/http2 to import security fix 2019-08-23 17:03:17 +00:00