Cve-2023-24534, cve-2023-24536

Hi, can you please confirm if Traefik v2 is affected by the following Go CVEs and what version should be used to have these fixed:

• net/http, net/textproto: denial of service from excessive memory allocation
  
  This is CVE-2023-24534 and Go issue net/http, net/textproto: denial of service from excessive memory allocation ​(CVE-2023-24534) · Issue #58975 · golang/go · GitHub
  
  
• net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
  
  This is CVE-2023-24536 and Go issue net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) · Issue #59153 · golang/go · GitHub

Both issues are fixed starting Go versions 1.20.3 and 1.19.8.

Thanks! Best Regards, Felix

Hey @flxk, sorry for the late reply!

We released new versions of 2.9 and 2.10-rc2 related to CVE-2023-24534.

• v2.9
• v2.10-rc2

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.