Bugzilla – Bug 1216109
VUL-0: CVE-2023-39325: go1.20,go1.21: net/http: rapid stream resets can cause excessive work
Last modified: 2025-07-21 14:40:40 UTC
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487.
This is an autogenerated message for OBS integration: This bug (1216109) was mentioned in https://build.opensuse.org/request/show/1116742 Factory / go1.20 https://build.opensuse.org/request/show/1116743 Factory / go1.21
See bsc#1216123 for general details about the "HTTP/2 Rapid Reset Attack".
SUSE-SU-2023:4069-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1212475, 1216109 CVE References: CVE-2023-39325, CVE-2023-44487 Sources used: openSUSE Leap 15.5 (src): go1.21-1.21.3-150000.1.12.1 Development Tools Module 15-SP4 (src): go1.21-1.21.3-150000.1.12.1 Development Tools Module 15-SP5 (src): go1.21-1.21.3-150000.1.12.1 openSUSE Leap 15.4 (src): go1.21-1.21.3-150000.1.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4068-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1206346, 1216109 CVE References: CVE-2023-39325, CVE-2023-44487 Sources used: openSUSE Leap 15.4 (src): go1.20-1.20.10-150000.1.29.1 openSUSE Leap 15.5 (src): go1.20-1.20.10-150000.1.29.1 Development Tools Module 15-SP4 (src): go1.20-1.20.10-150000.1.29.1 Development Tools Module 15-SP5 (src): go1.20-1.20.10-150000.1.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1216109) was mentioned in https://build.opensuse.org/request/show/1121461 Backports:SLE-12 / go1.21
openSUSE-SU-2023:0360-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109 CVE References: CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487 JIRA References: Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): go-1.21-41.1, go1.21-1.21.3-2.1
SUSE-SU-2023:4472-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1206346, 1215985, 1216109, 1216943, 1216944 CVE References: CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284 Sources used: openSUSE Leap 15.4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 openSUSE Leap 15.5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed. Category: security (moderate) Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944 CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284 Jira References: SLE-18320 Sources used: openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.
*** Bug 1230184 has been marked as a duplicate of this bug. ***
SUSE-SU-2024:3344-1: An update that solves four vulnerabilities and has four security fixes can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243344-1 Category: security (important) Bug References: 1216109, 1216123, 1221400, 1226136, 1229858, 1229867, 1229869, 1230323 CVE References: CVE-2023-39325, CVE-2023-44487, CVE-2023-45288, CVE-2024-24786 Maintenance Incident: [SUSE:Maintenance:35646](https://smelt.suse.de/incident/35646/) Sources used: SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): kubernetes1.25-1.25.16-150400.9.16.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): kubernetes1.25-1.25.16-150400.9.16.1 openSUSE Leap 15.4 (src): kubernetes1.25-1.25.16-150400.9.16.1 openSUSE Leap 15.5 (src): kubernetes1.25-1.25.16-150400.9.16.1 openSUSE Leap 15.6 (src): kubernetes1.25-1.25.16-150400.9.16.1 Containers Module 15-SP5 (src): kubernetes1.25-1.25.16-150400.9.16.1 Containers Module 15-SP6 (src): kubernetes1.25-1.25.16-150400.9.16.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): kubernetes1.25-1.25.16-150400.9.16.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): kubernetes1.25-1.25.16-150400.9.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:3343-1: An update that solves nine vulnerabilities and has six security fixes can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243343-1 Category: security (important) Bug References: 1062303, 1194400, 1211630, 1211631, 1214406, 1216109, 1216123, 1219964, 1221400, 1222539, 1226136, 1229858, 1229867, 1229869, 1230323 CVE References: CVE-2021-25743, CVE-2023-2727, CVE-2023-2728, CVE-2023-39325, CVE-2023-44487, CVE-2023-45288, CVE-2024-0793, CVE-2024-24786, CVE-2024-3177 Maintenance Incident: [SUSE:Maintenance:35690](https://smelt.suse.de/incident/35690/) Sources used: openSUSE Leap 15.3 (src): kubernetes1.24-1.24.17-150300.7.6.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kubernetes1.24-1.24.17-150300.7.6.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kubernetes1.24-1.24.17-150300.7.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kubernetes1.24-1.24.17-150300.7.6.1 SUSE Enterprise Storage 7.1 (src): kubernetes1.24-1.24.17-150300.7.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:3342-1: An update that solves four vulnerabilities and has four security fixes can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243342-1 Category: security (important) Bug References: 1216109, 1216123, 1221400, 1226136, 1229858, 1229867, 1229869, 1230323 CVE References: CVE-2023-39325, CVE-2023-44487, CVE-2023-45288, CVE-2024-24786 Maintenance Incident: [SUSE:Maintenance:35689](https://smelt.suse.de/incident/35689/) Sources used: openSUSE Leap 15.5 (src): kubernetes1.24-1.24.17-150500.3.22.1 openSUSE Leap 15.6 (src): kubernetes1.24-1.24.17-150500.3.22.1 Containers Module 15-SP5 (src): kubernetes1.24-1.24.17-150500.3.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:3341-1: An update that solves nine vulnerabilities and has six security fixes can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243341-1 Category: security (important) Bug References: 1062303, 1194400, 1211630, 1211631, 1214406, 1216109, 1216123, 1219964, 1221400, 1222539, 1226136, 1229858, 1229867, 1229869, 1230323 CVE References: CVE-2021-25743, CVE-2023-2727, CVE-2023-2728, CVE-2023-39325, CVE-2023-44487, CVE-2023-45288, CVE-2024-0793, CVE-2024-24786, CVE-2024-3177 Maintenance Incident: [SUSE:Maintenance:32855](https://smelt.suse.de/incident/32855/) Sources used: openSUSE Leap 15.4 (src): kubernetes1.24-1.24.17-150400.9.16.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): kubernetes1.24-1.24.17-150400.9.16.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): kubernetes1.24-1.24.17-150400.9.16.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): kubernetes1.24-1.24.17-150400.9.16.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): kubernetes1.24-1.24.17-150400.9.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1216109) was mentioned in https://build.opensuse.org/request/show/1222530 Backports:SLE-12 / go1.20