d43c48d5ab
full diff: https://github.com/golang/net/compare/v0.10.0...v0.17.0
This fixes the same CVE as go1.21.3 and go1.20.10;
- net/http: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.
HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.
This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
This is also tracked by CVE-2023-44487.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a27466fb6f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
80 lines
3.2 KiB
Modula-2
80 lines
3.2 KiB
Modula-2
module github.com/docker/cli
|
|
|
|
// 'vendor.mod' enables use of 'go mod vendor' to managed 'vendor/' directory.
|
|
// There is no 'go.mod' file, as that would imply opting in for all the rules
|
|
// around SemVer, which this repo cannot abide by as it uses CalVer.
|
|
|
|
go 1.19
|
|
|
|
require (
|
|
github.com/containerd/containerd v1.6.21
|
|
github.com/creack/pty v1.1.18
|
|
github.com/docker/distribution v2.8.2+incompatible
|
|
github.com/docker/docker v24.0.5+incompatible
|
|
github.com/docker/docker-credential-helpers v0.7.0
|
|
github.com/docker/go-connections v0.4.0
|
|
github.com/docker/go-units v0.5.0
|
|
github.com/fvbommel/sortorder v1.0.2
|
|
github.com/gogo/protobuf v1.3.2
|
|
github.com/google/go-cmp v0.5.9
|
|
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
|
|
github.com/imdario/mergo v0.3.13
|
|
github.com/mattn/go-runewidth v0.0.14
|
|
github.com/mitchellh/mapstructure v1.3.2
|
|
github.com/moby/buildkit v0.11.6
|
|
github.com/moby/patternmatcher v0.6.0
|
|
github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b
|
|
github.com/moby/sys/sequential v0.5.0
|
|
github.com/moby/sys/signal v0.7.0
|
|
github.com/moby/term v0.5.0
|
|
github.com/morikuni/aec v1.0.0
|
|
github.com/opencontainers/go-digest v1.0.0
|
|
github.com/opencontainers/image-spec v1.1.0-rc3
|
|
github.com/pkg/errors v0.9.1
|
|
github.com/sirupsen/logrus v1.9.3
|
|
github.com/spf13/cobra v1.7.0
|
|
github.com/spf13/pflag v1.0.5
|
|
github.com/theupdateframework/notary v0.7.1-0.20210315103452-bf96a202a09a
|
|
github.com/tonistiigi/go-rosetta v0.0.0-20200727161949-f79598599c5d
|
|
github.com/xeipuuv/gojsonschema v1.2.0
|
|
golang.org/x/sync v0.3.0
|
|
golang.org/x/sys v0.13.0
|
|
golang.org/x/term v0.13.0
|
|
golang.org/x/text v0.13.0
|
|
gopkg.in/yaml.v2 v2.4.0
|
|
gotest.tools/v3 v3.5.0
|
|
)
|
|
|
|
require (
|
|
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
|
|
github.com/Microsoft/go-winio v0.5.2 // indirect
|
|
github.com/beorn7/perks v1.0.1 // indirect
|
|
github.com/cespare/xxhash/v2 v2.1.2 // indirect
|
|
github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
|
|
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
|
|
github.com/docker/go-metrics v0.0.1 // indirect
|
|
github.com/go-sql-driver/mysql v1.6.0 // indirect
|
|
github.com/golang/protobuf v1.5.2 // indirect
|
|
github.com/gorilla/mux v1.8.0 // indirect
|
|
github.com/inconshreveable/mousetrap v1.1.0 // indirect
|
|
github.com/klauspost/compress v1.16.3 // indirect
|
|
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
|
|
github.com/miekg/pkcs11 v1.1.1 // indirect
|
|
github.com/moby/sys/symlink v0.2.0 // indirect
|
|
github.com/opencontainers/runc v1.1.7 // indirect
|
|
github.com/prometheus/client_golang v1.14.0 // indirect
|
|
github.com/prometheus/client_model v0.3.0 // indirect
|
|
github.com/prometheus/common v0.37.0 // indirect
|
|
github.com/prometheus/procfs v0.8.0 // indirect
|
|
github.com/rivo/uniseg v0.2.0 // indirect
|
|
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
|
|
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
|
|
go.etcd.io/etcd/raft/v3 v3.5.6 // indirect
|
|
golang.org/x/crypto v0.14.0 // indirect
|
|
golang.org/x/net v0.17.0 // indirect
|
|
golang.org/x/time v0.3.0 // indirect
|
|
google.golang.org/genproto v0.0.0-20220706185917-7780775163c4 // indirect
|
|
google.golang.org/grpc v1.50.1 // indirect
|
|
google.golang.org/protobuf v1.28.1 // indirect
|
|
)
|