Skip to content

v0.49.1
Compare
Choose a tag to compare
@github-actions github-actions released this 21 Feb 23:51
· 1083 commits to main since this release
v0.49.1
cbf6fab

This is a bug fix release addressing the following Golang security issues:

Golang security fix CVE-2022-41723

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a
denial of service from a small number of small requests.

Golang security fix CVE-2022-41724

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records
which cause servers and clients, respectively, to panic when attempting to construct responses.

Golang security fix CVE-2022-41722

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could
transform an invalid path such as "a/../c:/b" into the valid path "c:�". This transformation of a relative
(if invalid) path into an absolute path could enable a directory traversal attack.
After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".

Assets 14
Loading