Merged
Conversation
go1.21.12 (released 2024-07-02) includes security fixes to the net/http package, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/x509, net/http, net/netip, and os packages. See the Go 1.21.12 milestone on our issue tracker for details: - https://github.com/golang/go/issues?q=milestone%3AGo1.21.12+label%3ACherryPickApproved - full diff: golang/go@go1.21.11...go1.21.12 From the security mailing: > Hello gophers, > > We have just released Go versions 1.22.5 and 1.21.12, minor point releases. > > These minor releases include 1 security fixes following the security policy: > > * net/http: denial of service due to improper 100-continue handling > > The net/http HTTP/1.1 client mishandled the case where a server responds > to a request with an “Expect: 100-continue” header with a non-informational > (200 or higher) status. This mishandling could leave a client connection > in an invalid state, where the next request sent on the connection will fail. > > An attacker sending a request to a net/http/httputil.ReverseProxy proxy can > exploit this mishandling to cause a denial of service by sending > “Expect: 100-continue” requests which elicit a non-informational response > from the backend. Each such request leaves the proxy with an invalid connection, > and causes one subsequent request using that connection to fail. > > Thanks to Geoff Franks for reporting this issue. > > This is CVE-2024-24791 and Go issue https://go.dev/issue/67555. Signed-off-by: Sebastiaan van Stijn <[email protected]>
glours
approved these changes
Jul 25, 2024
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Aug 20, 2024
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/compose](https://github.com/docker/compose) | patch | `v2.29.1` -> `v2.29.2` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>docker/compose (docker/compose)</summary> ### [`v2.29.2`](https://github.com/docker/compose/releases/tag/v2.29.2) [Compare Source](docker/compose@v2.29.1...v2.29.2) #### What's Changed ##### ✨ Improvements - docs: Update docker compose kill usage [(12041)](docker/compose#12041) - add `x-initSync` to watch to always provide initial [(12047)](docker/compose#12047) ##### 🐛 Fixes - Removes redundant condition from toAPIBuildOptions in build.go [(12009)](docker/compose#12009) - Fix stoping compose process for single container for file change on sync-restart action [(12014)](docker/compose#12014) ##### 🔧 Internal - bump golang `1.21.12` [(12017)](docker/compose#12017) - bump engine and cli to `v27.1.1`, buildx to `v0.16.1` [(12020)](docker/compose#12020) - bump engine and cli to `v27.1.2`, buildx to `v0.16.2` [(12057)](docker/compose#12057) - remove all dependabot update MRs for OTel dependencies [(12006)](docker/compose#12006) - bump golang.org/x/sys `v0.22.0` and gofrs/flock `v0.12.1` [(12018)](docker/compose#12018) #### New Contributors - [@​janbrasna](https://github.com/janbrasna) made their first contribution in [(12041)](docker/compose#12041) - [@​kapurm17](https://github.com/kapurm17) made their first contribution in [(12009)](docker/compose#12009) **Full Changelog**: docker/compose@v2.29.1...v2.29.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
go1.21.12 (released 2024-07-02) includes security fixes to the net/http package, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/x509, net/http, net/netip, and os packages. See the Go 1.21.12 milestone on our issue tracker for details:
From the security mailing:
What I did
Related issue
(not mandatory) A picture of a cute animal, if possible in relation to what you did