Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump golang.org/x/net from 0.21.0 to 0.23.0 #63

Merged
merged 1 commit into from
Apr 22, 2024
Merged

Bump golang.org/x/net from 0.21.0 to 0.23.0 #63

merged 1 commit into from
Apr 22, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Apr 19, 2024

Bumps golang.org/x/net from 0.21.0 to 0.23.0.

Commits
  • c48da13 http2: fix TestServerContinuationFlood flakes
  • 762b58d http2: fix tipos in comment
  • ba87210 http2: close connections when receiving too many headers
  • ebc8168 all: fix some typos
  • 3678185 http2: make TestCanonicalHeaderCacheGrowth faster
  • 448c44f http2: remove clientTester
  • c7877ac http2: convert the remaining clientTester tests to testClientConn
  • d8870b0 http2: use synthetic time in TestIdleConnTimeout
  • d73acff http2: only set up deadline when Server.IdleTimeout is positive
  • 89f602b http2: validate client/outgoing trailers
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump golang.org/x/net from 0.21.0 to 0.23.0
fef8254 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.21.0 to 0.23.0.
- [Commits](golang/net@v0.21.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Apr 19, 2024
@github-actions GitHub Actions
Copy link

[puLL-Merge] - golang/[email protected]

Description

This pull request introduces several key changes to the QUIC implementation in the Go networking library. It primarily focuses on refinancing and enhancing QUIC functionality, including support for ECN (Explicit Congestion Notification) bits, address migration, better logging for debugging, improved congestion control, and context support for cancelation and timeouts in Dial functions. These changes aim to make the QUIC implementation more compliant with the RFCs, more performant, and easier to debug.

Changes

Changes

quic/

  • Added context support for cancellation and timeouts in Dial and related functions.
  • Enhanced ECN bits handling for UDP connections across different platforms (darwin, linux, and others).
  • Added logging for QUIC recovery and loss events through structured logging.
  • Implemented read and write context setters in the Stream struct.
  • Modified congestion control to improve performance based on QUICHE's behavior.
  • Refactored packet handling to support parsing and processing of PATH_CHALLENGE and PATH_RESPONSE frames.
  • Added support for parsing and writing ECN bits in UDP datagrams.
  • Implemented changes in QUIC's internal structures and algorithms to improve compliance with the QUIC specifications, particularly around connection establishment, stream handling, error reporting, and more.
  • Reorganized QUIC-related files and moved some from internal/quic to quic, indicating potential stabilization of APIs.

websocket/

  • Added context support for cancellation and timeouts in the WebSocket client, enhancing its robustness and usability.

Security Hotspots

  1. ECN handling in UDP connections (quic/udp_*.go): Incorrect parsing or setting of ECN bits could lead to denial of service or incorrect traffic handling. It's crucial to ensure these bits are correctly interpreted and set across all platforms.
  2. QUIC stream context handling (quic/stream.go): The introduction of read and write contexts in QUIC streams requires careful management to avoid leaking goroutines or mismanaging resources, especially in error cases or timeouts.
  3. QUIC congestion control modifications (quic/congestion_reno.go): Changes to congestion control algorithms need thorough testing under various network conditions to prevent unexpected behavior that could lead to poor performance or connection instability.
  4. QUIC path handling (quic/path.go): The handling of PATH_CHALLENGE and PATH_RESPONSE frames introduces state that could be manipulated by an attacker to disrupt connections. Validating and responding to these frames securely is vital.
  5. Websocket dial context (websocket/client.go): The new context-based cancellation and timeout mechanism needs to ensure that connections are properly cleaned up in all cases to prevent resource exhaustion.

@rillian rillian merged commit 351146f into master Apr 22, 2024
7 checks passed
@dependabot dependabot bot deleted the dependabot/go_modules/golang.org/x/net-0.23.0 branch April 22, 2024 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rillian rillian rillian approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rillian