From 12258f518b58804ec07eac0bc8433682b1157241 Mon Sep 17 00:00:00 2001 From: Cameron Rozean Date: Wed, 11 Oct 2023 11:46:15 -0700 Subject: [PATCH 1/5] remove release from patch pr --- projects/golang/go/1.19/RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/projects/golang/go/1.19/RELEASE b/projects/golang/go/1.19/RELEASE index b4de39476..f599e28b8 100644 --- a/projects/golang/go/1.19/RELEASE +++ b/projects/golang/go/1.19/RELEASE @@ -1 +1 @@ -11 +10 From b15ae5ef2381ab4984afaff74700ea2359283633 Mon Sep 17 00:00:00 2001 From: Cameron Rozean Date: Thu, 12 Oct 2023 11:25:46 -0700 Subject: [PATCH 2/5] bump release in readme --- projects/golang/go/1.19/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/projects/golang/go/1.19/README.md b/projects/golang/go/1.19/README.md index 6da92a92d..f113f703c 100644 --- a/projects/golang/go/1.19/README.md +++ b/projects/golang/go/1.19/README.md @@ -1,17 +1,17 @@ # EKS Golang 1.19 -Current Release: `11` +Current Release: `12` Tracking Tag: `go1.19.13` ### Artifacts: |Arch|Artifact|sha| |:---:|:---:|:---:| -|noarch|[golang-1.19.13-11.amzn2.eks.noarch.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/release/11/x86_64/RPMS/noarch/golang-1.19.13-11.amzn2.eks.noarch.rpm)|[golang-1.19.13-11.amzn2.eks.noarch.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/release/11/x86_64/RPMS/noarch/golang-1.19.13-11.amzn2.eks.noarch.rpm.sha256)| -|x86_64|[golang-1.19.13-11.amzn2.eks.x86_64.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/release/11/x86_64/RPMS/x86_64/golang-1.19.13-11.amzn2.eks.x86_64.rpm)|[golang-1.19.13-11.amzn2.eks.x86_64.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/release/11/x86_64/RPMS/x86_64/golang-1.19.13-11.amzn2.eks.x86_64.rpm.sha256)| -|aarch64|[golang-1.19.13-11.amzn2.eks.aarch64.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/release/11/aarch64/RPMS/aarch64/golang-1.19.13-11.amzn2.eks.aarch64.rpm)|[golang-1.19.13-11.amzn2.eks.aarch64.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/release/11/aarch64/RPMS/aarch64/golang-1.19.13-11.amzn2.eks.aarch64.rpm.sha256)| -|arm64|[go1.19.13.linux-arm64.tar.gz](https://distro.eks.amazonaws.com/golang-go1.19.13/release/11/archives/linux/arm64/go1.19.13.linux-arm64.tar.gz)|[go1.19.13.linux-arm64.tar.gz.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/release/11/archives/linux/arm64/go1.19.13.linux-arm64.tar.gz.sha256)| -|amd64|[go1.19.13.linux-amd64.tar.gz](https://distro.eks.amazonaws.com/golang-go1.19.13/release/11/archives/linux/amd64/go1.19.13.linux-amd64.tar.gz)|[go1.19.13.linux-amd64.tar.gz.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/release/11/archives/linux/amd64/go1.19.13.linux-amd64.tar.gz.sha256)| +|noarch|[golang-1.19.13-12.amzn2.eks.noarch.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/release/12/x86_64/RPMS/noarch/golang-1.19.13-12.amzn2.eks.noarch.rpm)|[golang-1.19.13-12.amzn2.eks.noarch.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/release/12/x86_64/RPMS/noarch/golang-1.19.13-12.amzn2.eks.noarch.rpm.sha256)| +|x86_64|[golang-1.19.13-12.amzn2.eks.x86_64.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/release/12/x86_64/RPMS/x86_64/golang-1.19.13-12.amzn2.eks.x86_64.rpm)|[golang-1.19.13-12.amzn2.eks.x86_64.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/release/12/x86_64/RPMS/x86_64/golang-1.19.13-12.amzn2.eks.x86_64.rpm.sha256)| +|aarch64|[golang-1.19.13-12.amzn2.eks.aarch64.rpm](https://distro.eks.amazonaws.com/golang-go1.19.13/release/12/aarch64/RPMS/aarch64/golang-1.19.13-12.amzn2.eks.aarch64.rpm)|[golang-1.19.13-12.amzn2.eks.aarch64.rpm.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/release/12/aarch64/RPMS/aarch64/golang-1.19.13-12.amzn2.eks.aarch64.rpm.sha256)| +|arm64|[go1.19.13.linux-arm64.tar.gz](https://distro.eks.amazonaws.com/golang-go1.19.13/release/12/archives/linux/arm64/go1.19.13.linux-arm64.tar.gz)|[go1.19.13.linux-arm64.tar.gz.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/release/12/archives/linux/arm64/go1.19.13.linux-arm64.tar.gz.sha256)| +|amd64|[go1.19.13.linux-amd64.tar.gz](https://distro.eks.amazonaws.com/golang-go1.19.13/release/12/archives/linux/amd64/go1.19.13.linux-amd64.tar.gz)|[go1.19.13.linux-amd64.tar.gz.sha256](https://distro.eks.amazonaws.com/golang-go1.19.13/release/12/archives/linux/amd64/go1.19.13.linux-amd64.tar.gz.sha256)| ### ARM64 Builds From a88d296c0b3e61a4d65eae411b77576b5052273e Mon Sep 17 00:00:00 2001 From: Cameron Rozean Date: Thu, 12 Oct 2023 11:32:44 -0700 Subject: [PATCH 3/5] revert RELEASE --- projects/golang/go/1.19/RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/projects/golang/go/1.19/RELEASE b/projects/golang/go/1.19/RELEASE index f599e28b8..b4de39476 100644 --- a/projects/golang/go/1.19/RELEASE +++ b/projects/golang/go/1.19/RELEASE @@ -1 +1 @@ -10 +11 From 40517354b20c94e0815eedae5926925794f6be95 Mon Sep 17 00:00:00 2001 From: Cameron Rozean Date: Thu, 12 Oct 2023 11:59:27 -0700 Subject: [PATCH 4/5] add fix for CVE-2023-39325 --- ...3-eks-net-http-regenerate-h2_bundle-.patch | 203 ++++++++++++++++++ .../golang/go/1.19/rpmbuild/SPECS/golang.spec | 1 + 2 files changed, 204 insertions(+) create mode 100644 projects/golang/go/1.19/patches/0004-go-1.19-13-eks-net-http-regenerate-h2_bundle-.patch diff --git a/projects/golang/go/1.19/patches/0004-go-1.19-13-eks-net-http-regenerate-h2_bundle-.patch b/projects/golang/go/1.19/patches/0004-go-1.19-13-eks-net-http-regenerate-h2_bundle-.patch new file mode 100644 index 000000000..3714a212c --- /dev/null +++ b/projects/golang/go/1.19/patches/0004-go-1.19-13-eks-net-http-regenerate-h2_bundle-.patch @@ -0,0 +1,203 @@ +From c07a3aaf582aca3f362fbfffa110c17b6b0e0b1d Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 14:16:27 -0700 +Subject: [PATCH] [release-branch.go1.20] net/http: regenerate h2_bundle.go + +# AWS EKS + +Backported To: go-1.19.13-eks +Backported On: Thu, 12 Oct 2023 +Backported By: rcrozean@amazon.com +Backported From: release-branch.go1.20 +Source Commit: https://github.com/golang/go/commit/e175f27f58aa7b9cd4d79607ae65d2cd5baaee68 + +# Original Information + +Pull in a security fix from x/net/http2: +http2: limit maximum handler goroutines to MaxConcurrentStreamso + +For #63417 +Fixes #63426 +Fixes CVE-2023-39325 + +Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401 +Reviewed-by: Tatiana Bradley +TryBot-Result: Security TryBots +Run-TryBot: Damien Neil +Reviewed-by: Ian Cottrell +Reviewed-on: https://go-review.googlesource.com/c/go/+/534255 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Damien Neil +TryBot-Bypass: Dmitri Shuralyov +Reviewed-by: Michael Pratt +Auto-Submit: Dmitri Shuralyov +--- + src/cmd/internal/moddeps/moddeps_test.go | 2 + + src/net/http/h2_bundle.go | 94 ++++++++++++++++++++++-- + 2 files changed, 91 insertions(+), 5 deletions(-) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index 053cb8f548..b05a143c79 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -33,6 +33,8 @@ import ( + // See issues 36852, 41409, and 43687. + // (Also see golang.org/issue/27348.) + func TestAllDependencies(t *testing.T) { ++ t.Skip("TODO(#63427): 1.21.3 contains unreleased changes from vendored modules") ++ + goBin := testenv.GoToolPath(t) + + // Ensure that all packages imported within GOROOT +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index 2e5ef078e5..d6a9335c8f 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -4239,9 +4239,11 @@ type http2serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*http2stream ++ unstartedHandlers []http2unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -4635,6 +4637,8 @@ func (sc *http2serverConn) serve() { + return + case http2gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case http2handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -4680,6 +4684,7 @@ var ( + http2idleTimerMsg = new(http2serverMessage) + http2shutdownTimerMsg = new(http2serverMessage) + http2gracefulShutdownMsg = new(http2serverMessage) ++ http2handlerDoneMsg = new(http2serverMessage) + ) + + func (sc *http2serverConn) onSettingsTimer() { sc.sendServeMsg(http2settingsTimerMsg) } +@@ -5642,8 +5647,31 @@ func (sc *http2serverConn) processHeaders(f *http2MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) ++} ++ ++func (sc *http2serverConn) upgradeRequest(req *Request) { ++ sc.serveG.check() ++ id := uint32(1) ++ sc.maxClientStreamID = id ++ st := sc.newStream(id, 0, http2stateHalfClosedRemote) ++ st.reqTrailer = req.Trailer ++ if st.reqTrailer != nil { ++ st.trailer = make(Header) ++ } ++ rw := sc.newResponseWriter(st, req) ++ ++ // Disable any read deadline set by the net/http package ++ // prior to the upgrade. ++ if sc.hs.ReadTimeout != 0 { ++ sc.conn.SetReadDeadline(time.Time{}) ++ } ++ ++ // This is the first request on the connection, ++ // so start the handler directly rather than going ++ // through scheduleHandler. ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, sc.handler.ServeHTTP) + } + + func (st *http2stream) processTrailerHeaders(f *http2MetaHeadersFrame) error { +@@ -5871,6 +5899,11 @@ func (sc *http2serverConn) newWriterAndRequestNoBody(st *http2stream, rp http2re + } + req = req.WithContext(st.ctx) + ++ rw := sc.newResponseWriter(st, req) ++ return rw, req, nil ++} ++ ++func (sc *http2serverConn) newResponseWriter(st *http2stream, req *Request) *http2responseWriter { + rws := http2responseWriterStatePool.Get().(*http2responseWriterState) + bwSave := rws.bw + *rws = http2responseWriterState{} // zero all the fields +@@ -5879,14 +5912,65 @@ func (sc *http2serverConn) newWriterAndRequestNoBody(st *http2stream, rp http2re + rws.bw.Reset(http2chunkWriter{rws}) + rws.stream = st + rws.req = req +- rws.body = body ++ return &http2responseWriter{rws: rws} ++} + +- rw := &http2responseWriter{rws: rws} +- return rw, req, nil ++type http2unstartedHandler struct { ++ streamID uint32 ++ rw *http2responseWriter ++ req *Request ++ handler func(ResponseWriter, *Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *http2serverConn) scheduleHandler(streamID uint32, rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", http2ConnectionError(http2ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, http2unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *http2serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = http2unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } + } + + // Run on its own goroutine. + func (sc *http2serverConn) runHandler(rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) { ++ defer sc.sendServeMsg(http2handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.42.0 + diff --git a/projects/golang/go/1.19/rpmbuild/SPECS/golang.spec b/projects/golang/go/1.19/rpmbuild/SPECS/golang.spec index 9870de801..23de75102 100644 --- a/projects/golang/go/1.19/rpmbuild/SPECS/golang.spec +++ b/projects/golang/go/1.19/rpmbuild/SPECS/golang.spec @@ -161,6 +161,7 @@ Requires: %{name}-src = %{version}-%{release} Patch1: 0001-go-1.19.12-eks-html-template-support-HTML-lik.patch Patch2: 0002-go-1.19.12-eks-html-template-properly-handle-.patch Patch3: 0003-go-1.19.13-eks-cmd-compile-use-absolute-file-.patch +Patch4: 0004-go-1.19-13-eks-net-http-regenerate-h2_bundle-.patch Patch102: 0102-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch Patch103: 0103-cmd-go-disable-Google-s-proxy-and-sumdb.patch From c1a1060e33489f0572a87ff339f0592ed9a16722 Mon Sep 17 00:00:00 2001 From: Cameron Rozean Date: Thu, 12 Oct 2023 12:53:19 -0700 Subject: [PATCH 5/5] add changelog entry --- projects/golang/go/1.19/rpmbuild/SPECS/golang.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/projects/golang/go/1.19/rpmbuild/SPECS/golang.spec b/projects/golang/go/1.19/rpmbuild/SPECS/golang.spec index 23de75102..e94b8bd1c 100644 --- a/projects/golang/go/1.19/rpmbuild/SPECS/golang.spec +++ b/projects/golang/go/1.19/rpmbuild/SPECS/golang.spec @@ -541,6 +541,9 @@ fi %endif %changelog +* Thu Oct 12 2023 Cameron Rozean - 1.19.13-5 +- Includes security fix for CVE-2023-39325 + * Tue Oct 10 2023 Cameron Rozean - 1.19.13-4 - Includes security fix for CVE-2023-39323