1 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch
new file mode 100644
index 0000000000..9c4fee2db4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch
@@ -0,0 +1,93 @@
+From 9f1860075990e7bf908ca7cc329d1d3ef91741c8 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Thu, 9 Dec 2021 06:13:31 -0500
+Subject: [PATCH] net/http: update bundled golang.org/x/net/http2
+Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a]
+CVE: CVE-2021-44716
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+Pull in security fix
+    a5309b3 http2: cap the size of the server's canonical header cache
+Updates #50058
+Fixes CVE-2021-44716
+Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
+Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Alex Rakoczy <alex@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+(cherry picked from commit d0aebe3e74fe14799f97ddd3f01129697c6a290a)
+---
+ src/go.mod                |  2 +-
+ src/go.sum                |  4 ++--
+ src/net/http/h2_bundle.go | 10 +++++++++-
+ src/vendor/modules.txt    |  2 +-
+ 4 files changed, 13 insertions(+), 5 deletions(-)
+diff --git a/src/go.mod b/src/go.mod
+index ec6bd98..56f2fbb 100644
+--- a/src/go.mod
+++ b/src/go.mod
+@@ -4,7 +4,7 @@ go 1.14
+ 
+ require (
+        golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d
+-       golang.org/x/net v0.0.0-20210129194117-4acb7895a057
+       golang.org/x/net v0.0.0-20211209100217-a5309b321dca
+        golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf // indirect
+        golang.org/x/text v0.3.3-0.20191031172631-4b67af870c6f // indirect
+ )
+diff --git a/src/go.sum b/src/go.sum
+index 171e083..1ceba05 100644
+--- a/src/go.sum
+++ b/src/go.sum
+@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
+ golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d h1:9FCpayM9Egr1baVnV1SX0H87m+XB0B8S0hAMi99X/3U=
+ golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+-golang.org/x/net v0.0.0-20210129194117-4acb7895a057 h1:HThQeV5c0Ab/Puir+q6mC97b7+3dfZdsLWMLoBrzo68=
+-golang.org/x/net v0.0.0-20210129194117-4acb7895a057/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20211209100217-a5309b321dca h1:UmeWAm8AwB6NA/e4FSaGlK1EKTLXKX3utx4Si+6kfPg=
+golang.org/x/net v0.0.0-20211209100217-a5309b321dca/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf h1:+4j7oujXP478CVb/AFvHJmVX5+Pczx2NGts5yirA0oY=
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 702fd5a..83f2a72 100644
+--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
+@@ -4293,7 +4293,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
+                sc.canonHeader = make(map[string]string)
+        }
+        cv = CanonicalHeaderKey(v)
+-       sc.canonHeader[v] = cv
+       // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+       // entries in the canonHeader cache. This should be larger than the number
+       // of unique, uncommon header keys likely to be sent by the peer, while not
+       // so high as to permit unreaasonable memory usage if the peer sends an unbounded
+       // number of unique header keys.
+       const maxCachedCanonicalHeaders = 32
+       if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+               sc.canonHeader[v] = cv
+       }
+        return cv
+ }
+ 
+diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
+index 669bd9b..1d67183 100644
+--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
+@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
+ golang.org/x/crypto/hkdf
+ golang.org/x/crypto/internal/subtle
+ golang.org/x/crypto/poly1305
+-# golang.org/x/net v0.0.0-20210129194117-4acb7895a057
+# golang.org/x/net v0.0.0-20211209100217-a5309b321dca
+ ## explicit
+ golang.org/x/net/dns/dnsmessage
+ golang.org/x/net/http/httpguts

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch new file mode 100644 index 0000000000..9c4fee2db4 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch
@@ -0,0 +1,93 @@
	1	From 9f1860075990e7bf908ca7cc329d1d3ef91741c8 Mon Sep 17 00:00:00 2001
	2	From: Filippo Valsorda <filippo@golang.org>
	3	Date: Thu, 9 Dec 2021 06:13:31 -0500
	4	Subject: [PATCH] net/http: update bundled golang.org/x/net/http2
	5
	6	Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a]
	7	CVE: CVE-2021-44716
	8	Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
	9
	10
	11	Pull in security fix
	12
	13	a5309b3 http2: cap the size of the server's canonical header cache
	14
	15	Updates #50058
	16	Fixes CVE-2021-44716
	17
	18	Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
	19	Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
	20	Trust: Filippo Valsorda <filippo@golang.org>
	21	Run-TryBot: Filippo Valsorda <filippo@golang.org>
	22	Reviewed-by: Alex Rakoczy <alex@golang.org>
	23	TryBot-Result: Gopher Robot <gobot@golang.org>
	24	(cherry picked from commit d0aebe3e74fe14799f97ddd3f01129697c6a290a)
	25	---
	26	src/go.mod \| 2 +-
	27	src/go.sum \| 4 ++--
	28	src/net/http/h2_bundle.go \| 10 +++++++++-
	29	src/vendor/modules.txt \| 2 +-
	30	4 files changed, 13 insertions(+), 5 deletions(-)
	31
	32	diff --git a/src/go.mod b/src/go.mod
	33	index ec6bd98..56f2fbb 100644
	34	--- a/src/go.mod
	35	+++ b/src/go.mod
	36	@@ -4,7 +4,7 @@ go 1.14
	37
	38	require (
	39	golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d
	40	- golang.org/x/net v0.0.0-20210129194117-4acb7895a057
	41	+ golang.org/x/net v0.0.0-20211209100217-a5309b321dca
	42	golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf // indirect
	43	golang.org/x/text v0.3.3-0.20191031172631-4b67af870c6f // indirect
	44	)
	45	diff --git a/src/go.sum b/src/go.sum
	46	index 171e083..1ceba05 100644
	47	--- a/src/go.sum
	48	+++ b/src/go.sum
	49	@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
	50	golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d h1:9FCpayM9Egr1baVnV1SX0H87m+XB0B8S0hAMi99X/3U=
	51	golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
	52	golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
	53	-golang.org/x/net v0.0.0-20210129194117-4acb7895a057 h1:HThQeV5c0Ab/Puir+q6mC97b7+3dfZdsLWMLoBrzo68=
	54	-golang.org/x/net v0.0.0-20210129194117-4acb7895a057/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
	55	+golang.org/x/net v0.0.0-20211209100217-a5309b321dca h1:UmeWAm8AwB6NA/e4FSaGlK1EKTLXKX3utx4Si+6kfPg=
	56	+golang.org/x/net v0.0.0-20211209100217-a5309b321dca/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
	57	golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
	58	golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
	59	golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf h1:+4j7oujXP478CVb/AFvHJmVX5+Pczx2NGts5yirA0oY=
	60	diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
	61	index 702fd5a..83f2a72 100644
	62	--- a/src/net/http/h2_bundle.go
	63	+++ b/src/net/http/h2_bundle.go
	64	@@ -4293,7 +4293,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
	65	sc.canonHeader = make(map[string]string)
	66	}
	67	cv = CanonicalHeaderKey(v)
	68	- sc.canonHeader[v] = cv
	69	+ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
	70	+ // entries in the canonHeader cache. This should be larger than the number
	71	+ // of unique, uncommon header keys likely to be sent by the peer, while not
	72	+ // so high as to permit unreaasonable memory usage if the peer sends an unbounded
	73	+ // number of unique header keys.
	74	+ const maxCachedCanonicalHeaders = 32
	75	+ if len(sc.canonHeader) < maxCachedCanonicalHeaders {
	76	+ sc.canonHeader[v] = cv
	77	+ }
	78	return cv
	79	}
	80
	81	diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
	82	index 669bd9b..1d67183 100644
	83	--- a/src/vendor/modules.txt
	84	+++ b/src/vendor/modules.txt
	85	@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
	86	golang.org/x/crypto/hkdf
	87	golang.org/x/crypto/internal/subtle
	88	golang.org/x/crypto/poly1305
	89	-# golang.org/x/net v0.0.0-20210129194117-4acb7895a057
	90	+# golang.org/x/net v0.0.0-20211209100217-a5309b321dca
	91	## explicit
	92	golang.org/x/net/dns/dnsmessage
	93	golang.org/x/net/http/httpguts