diff options
| author | Soumya Sambu <soumya.sambu@windriver.com> | 2023-12-20 12:03:38 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-12-22 16:36:55 -1000 |
| commit | 7262c0f2351cd08f049c7d050e8672c45e1952c0 (patch) | |
| tree | 3b70c3b29d9fbd0277a21a3bdc7d767461499a2f /meta/recipes-devtools/python/python3_3.10.13.bb | |
| parent | 558325482c9538acf87eb0014babe0fc26f0471f (diff) | |
| download | poky-7262c0f2351cd08f049c7d050e8672c45e1952c0.tar.gz | |
go: Fix CVE-2023-39326
A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body. A malicious HTTP client can further
exploit this to cause a server to automatically read a large amount
of data (up to about 1GiB) when a handler fails to read the entire
body of a request. Chunk extensions are a little-used HTTP feature
which permit including additional metadata in a request or response
body sent using the chunked encoding. The net/http chunked encoding
reader discards this metadata. A sender can exploit this by inserting
a large metadata segment with each byte transferred. The chunk reader
now produces an error if the ratio of real body to encoded bytes grows
too small.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39326
https://security-tracker.debian.org/tracker/CVE-2023-39326
(From OE-Core rev: 448df3bb9277287dd8586987199223b7314fdd01)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/python/python3_3.10.13.bb')
0 files changed, 0 insertions, 0 deletions