diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2023-12-27 07:14:26 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-01-05 03:25:38 -1000 |
commit | a2bf2f28c4f2ae2ab19a963d801029abb7de5dc9 (patch) | |
tree | 94aa1a6eabeafb80f75017a33ff5db19dddbad9c /meta/recipes-devtools/qemu/qemu.inc | |
parent | c0e5370a91c87145d0a8eb753241b04ee3b1928e (diff) | |
download | poky-a2bf2f28c4f2ae2ab19a963d801029abb7de5dc9.tar.gz |
go: Fix CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body. A malicious HTTP client can further
exploit this to cause a server to automatically read a large amount
of data (up to about 1GiB) when a handler fails to read the entire
body of a request. Chunk extensions are a little-used HTTP feature
which permit including additional metadata in a request or response
body sent using the chunked encoding. The net/http chunked encoding
reader discards this metadata. A sender can exploit this by inserting
a large metadata segment with each byte transferred. The chunk reader
now produces an error if the ratio of real body to encoded bytes grows
too small.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39326
https://security-tracker.debian.org/tracker/CVE-2023-39326
(From OE-Core rev: 5b55648f3142762c9563289c1b19aa3b7de27164)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu.inc')
0 files changed, 0 insertions, 0 deletions