{"id":"MGASA-2024-0128","summary":"Updated golang packages fix security vulnerability","details":"CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read\narbitrary amounts of header data by sending an excessive number of\nCONTINUATION frames. Maintaining HPACK state requires parsing and\nprocessing all HEADERS and CONTINUATION frames on a connection. When a\nrequest's headers exceed MaxHeaderBytes, no memory is allocated to store\nthe excess headers, but they are still parsed. This permits an attacker\nto cause an HTTP/2 endpoint to read arbitrary amounts of header data,\nall associated with a request which is going to be rejected. These\nheaders can include Huffman-encoded data which is significantly more\nexpensive for the receiver to decode than for an attacker to send. The\nfix sets a limit on the amount of excess header frames we will process\nbefore closing a connection.\n","modified":"2026-04-16T00:12:21.670380851Z","published":"2024-04-13T16:56:38Z","upstream":["CVE-2023-45288"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0128.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33068"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2024/04/05/4"}],"affected":[{"package":{"name":"golang","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/golang?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.21.9-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0128.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}