Go 1.22.2 and 1.21.9 (CVE-2023-45288 HTTP/2 CONTINUATION issue)

[Jan Schaumann <jschauma () netmeister org>]

[ Forwarding another announcement I didn't see on this
list relating to VU#421644 ]

https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M

| We have just released Go versions 1.22.2 and 1.21.9,
| minor point releases.
| 
| These minor releases include 1 security fixes
| following the security policy:
| 
| http2: close connections when receiving too many
| headers
| 
| Maintaining HPACK state requires that we parse and
| process all HEADERS and CONTINUATION frames on a
| connection. When a request's headers exceed
| MaxHeaderBytes, we don't allocate memory to store the
| excess headers but we do parse them. This permits an
| attacker to cause an HTTP/2 endpoint to read arbitrary
| amounts of header data, all associated with a request
| which is going to be rejected. These headers can
| include Huffman-encoded data which is significantly
| more expensive for the receiver to decode than for an
| attacker to send.
| 
| Set a limit on the amount of excess header frames we
| will process before closing a connection.
| 
| Thanks to Bartek Nowotarski (https://nowotarski.info/)
| for reporting this issue.
| 
| This is CVE-2023-45288 and Go issue
| https://go.dev/issue/65051.
| 
| View the release notes for more information:
| https://go.dev/doc/devel/release#go1.22.2
| 
| You can download binary and source distributions from
| the Go website:
| https://go.dev/dl/
| 
| To compile from source using a Git clone, update to
| the release with
| git checkout go1.22.2 and build as usual.
| 
| Thanks to everyone who contributed to the releases.