Address GO-2023-2382

From: https://pkg.go.dev/vuln/GO-2023-2382

> A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

Affects
> [net/http/internal](https://pkg.go.dev/net/http/internal)
before go1.20.12, from go1.21.0-0 before go1.21.5


We'll need to bump the following

- [x] serving/1.11.x - https://github.com/knative/serving/pull/14734
- [x] serving/1.12.x - https://github.com/knative/serving/pull/14733
- [x] net-kourier/1.11.x  - https://github.com/knative-extensions/net-kourier/pull/1177
- [x] net-kourier/1.12.x - https://github.com/knative-extensions/net-kourier/pull/1176
- [x] net-istio/1.11.x - https://github.com/knative-extensions/net-istio/pull/1227 
- [x] net-istio/1.12.x - https://github.com/knative-extensions/net-istio/pull/1226
- [x] net-contour/1.11.x - https://github.com/knative-extensions/net-contour/pull/1014   
- [x] net-contour/1.12.x - https://github.com/knative-extensions/net-contour/pull/1013
- [x] net-http01/1.11.x - https://github.com/knative-extensions/net-http01/pull/576   
- [x] net-http01/1.12.x - https://github.com/knative-extensions/net-http01/pull/575
- [x] net-certmanager/1.11.x  - https://github.com/knative-extensions/net-certmanager/pull/642  
- [x] net-certmanager/1.12.x - https://github.com/knative-extensions/net-certmanager/pull/641
- [x] net-gateway-api/1.11.x - https://github.com/knative-extensions/net-gateway-api/pull/597
- [x] net-gateway-api/1.12.x - https://github.com/knative-extensions/net-gateway-api/pull/596

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Address GO-2023-2382 #14732

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Address GO-2023-2382 #14732

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions