The Go runtime uses runtime Finalizer to delete cert [[1]]. The
interestingGoroutines is able to collect stack like,
```plain
leak.go:103: Found leaked goroutined BEFORE test appears to have leaked :
sync.(*Map).LoadAndDelete(0xc00031e180, {0xe07320, 0xc00009fde0})
/usr/local/go/src/sync/map.go:272 +0x192
sync.(*Map).Delete(...)
/usr/local/go/src/sync/map.go:297
crypto/tls.(*certCache).evict(...)
/usr/local/go/src/crypto/tls/cache.go:73
crypto/tls.(*certCache).active.func1(0x0?)
/usr/local/go/src/crypto/tls/cache.go:65 +0x67
```
It's caused by GC instead of leaky goroutine. interestingGoroutines
should skip it.
Backport of #18287
[1]: 8e1fdea831/src/crypto/tls/cache.go (L63)
Signed-off-by: Wei Fu <fuweid89@gmail.com>
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/sys
Vulnerability #1: GO-2022-0493
Incorrect privilege reporting in syscall and golang.org/x/sys/unix
More info: https://pkg.go.dev/vuln/GO-2022-0493
Module: golang.org/x/sys
Found in: golang.org/x/sys@v0.0.0-20210403161142-5e06dd20ab57
Fixed in: golang.org/x/sys@v0.0.0-20220412211240-33da011f77ad
Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net
=== Symbol Results ===
Vulnerability #1: GO-2024-2687
HTTP/2 CONTINUATION flood in net/http
More info: https://pkg.go.dev/vuln/GO-2024-2687
Module: golang.org/x/net
Found in: golang.org/x/net@v0.17.0
Fixed in: golang.org/x/net@v0.23.0
Reference:
- https://github.com/etcd-io/etcd/pull/17708
Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
This commit adds a script to sync the version present in .go-version
across all go.mod files as the toolchain directive. As part of that,
this commit also modifies go.mod files that did not have synced toolchain
directives.
Additionally, this also adds a script to verify all toolchain and go
directives against the version present in .go-version as follows:
(1) The go directive <= version in .go-version
(2) The toolchain directive == version in .go-version
This script runs as part of the `make verify` target, making it run
as a presbumit by default.
Signed-off-by: Madhav Jivrajani <madhav.jiv@gmail.com>
Resolves#12450
This commits adds support to unix/unixs socket URLs, which currently
fail with the message "URL address does not have the form "host:port".
It also replaces the work started in #11747.
(cherry picked from commit d93b7c8cb185af5a8af8408fbfcc55a21e3d9e5a)
Signed-off-by: Hubert Zhang <hubert.zyk@gmail.com>
Added keepalive_listener_unix.go and keepalive_listener_openbsd.go to
handle SetKeepAlivePeriod() specially on OpenBSD.
Signed-off-by: Ruize Tang <1466040111@qq.com>
The last step with gRPC update behavior changes auditing to resolve CVE #16740 in 3.5
This PR backports #14922, #16338, #16587, #16630, #16636 and #16739 to release-3.5.
Signed-off-by: Chao Chen <chaochn@amazon.com>
so that they cabn be configured via config file.
Co-authored-by: Shawn Gerrard <shawn.gerrard@gmail.com>
Signed-off-by: James Blair <mail@jamesblair.net>
