mirror of
https://github.com/etcd-io/etcd.git
synced 2024-09-27 06:25:44 +00:00
1ba246e1d8
Found 1 known vulnerability. Vulnerability #1: GO-2022-1144 An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. Call stacks in your code: Error: tools/etcd-dump-metrics/main.go:158:5: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls golang.org/x/net/http2.Server.ServeConn Found in: golang.org/x/net/http2@v0.2.0 Fixed in: golang.org/x/net/http2@v0.4.0 More info: https://pkg.go.dev/vuln/GO-2022-1144 Error: Process completed with exit code 3. Signed-off-by: Benjamin Wang <wachao@vmware.com>
55 lines
1.8 KiB
Modula-2
55 lines
1.8 KiB
Modula-2
module go.etcd.io/etcd/client/v3
|
|
|
|
go 1.19
|
|
|
|
require (
|
|
github.com/dustin/go-humanize v1.0.0
|
|
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
|
|
github.com/prometheus/client_golang v1.12.2
|
|
github.com/stretchr/testify v1.8.1
|
|
go.etcd.io/etcd/api/v3 v3.6.0-alpha.0
|
|
go.etcd.io/etcd/client/pkg/v3 v3.6.0-alpha.0
|
|
go.uber.org/zap v1.21.0
|
|
google.golang.org/grpc v1.51.0
|
|
sigs.k8s.io/yaml v1.3.0
|
|
)
|
|
|
|
require (
|
|
github.com/benbjohnson/clock v1.1.0 // indirect
|
|
github.com/beorn7/perks v1.0.1 // indirect
|
|
github.com/cespare/xxhash/v2 v2.1.2 // indirect
|
|
github.com/coreos/go-semver v0.3.0 // indirect
|
|
github.com/coreos/go-systemd/v22 v22.3.2 // indirect
|
|
github.com/davecgh/go-spew v1.1.1 // indirect
|
|
github.com/gogo/protobuf v1.3.2 // indirect
|
|
github.com/golang/protobuf v1.5.2 // indirect
|
|
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
|
|
github.com/pmezard/go-difflib v1.0.0 // indirect
|
|
github.com/prometheus/client_model v0.2.0 // indirect
|
|
github.com/prometheus/common v0.32.1 // indirect
|
|
github.com/prometheus/procfs v0.7.3 // indirect
|
|
go.uber.org/atomic v1.7.0 // indirect
|
|
go.uber.org/multierr v1.6.0 // indirect
|
|
golang.org/x/net v0.4.0 // indirect
|
|
golang.org/x/sys v0.3.0 // indirect
|
|
golang.org/x/text v0.5.0 // indirect
|
|
google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1 // indirect
|
|
google.golang.org/protobuf v1.27.1 // indirect
|
|
gopkg.in/yaml.v2 v2.4.0 // indirect
|
|
gopkg.in/yaml.v3 v3.0.1 // indirect
|
|
)
|
|
|
|
replace (
|
|
go.etcd.io/etcd/api/v3 => ../../api
|
|
go.etcd.io/etcd/client/pkg/v3 => ../pkg
|
|
)
|
|
|
|
// Bad imports are sometimes causing attempts to pull that code.
|
|
// This makes the error more explicit.
|
|
replace (
|
|
go.etcd.io/etcd => ./FORBIDDEN_DEPENDENCY
|
|
go.etcd.io/etcd/pkg/v3 => ./FORBIDDEN_DEPENDENCY
|
|
go.etcd.io/etcd/v3 => ./FORBIDDEN_DEPENDENCY
|
|
go.etcd.io/tests/v3 => ./FORBIDDEN_DEPENDENCY
|
|
)
|