Fix CVE-2021-44716 (CP #7717). (#7815)

2024-02-09 13:10:38 -08:00 · 2024-02-09 13:10:38 -08:00 · fd5e30e0f8
--- a/SPECS/application-gateway-kubernetes-ingress/CVE-2021-44716.patch
+++ b/SPECS/application-gateway-kubernetes-ingress/CVE-2021-44716.patch
@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
+++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}	
+ 	return cv
+ }
+ 
--- a/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
+++ b/SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
@ -2,7 +2,7 @@
 Summary:        Application Gateway Ingress Controller
 Name:           application-gateway-kubernetes-ingress
 Version:        1.4.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -24,9 +24,13 @@ Source0:        %{name}-%{version}.tar.gz
 #           -cf %%{name}-%%{version}-vendor.tar.gz vendor
 #
 Source1:        %{name}-%{version}-vendor.tar.gz
+
+# patches for vendored code >= 1000
 # If upstream ever upgrades client_goland to 1.11.1, we can get rid of this patch.
-Patch0:         CVE-2022-21698.patch
-Patch1:         CVE-2023-44487.patch
+Patch1000:      CVE-2022-21698.patch
+Patch1001:      CVE-2023-44487.patch
+Patch1002:      CVE-2021-44716.patch
+
 BuildRequires:  golang >= 1.13
 %if %{with_check}
 BuildRequires:  helm
@ -64,6 +68,9 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 %{_bindir}/appgw-ingress

 %changelog
+* Mon Feb 05 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 1.4.0-19
+- Patch CVE-2021-44716
+
 * Thu Feb 01 2024 Daniel McIlvaney <damcilva@microsoft.com> - 1.4.0-18
 - Address CVE-2023-44487 by patching vendored golang.org/x/net
 - Add check section
--- a/SPECS/cf-cli/CVE-2021-44716.patch
+++ b/SPECS/cf-cli/CVE-2021-44716.patch
@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
+++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}	
+ 	return cv
+ }
+ 
--- a/SPECS/cf-cli/cf-cli.spec
+++ b/SPECS/cf-cli/cf-cli.spec
@ -1,7 +1,7 @@
 Summary:        The official command line client for Cloud Foundry.
 Name:           cf-cli
 Version:        8.4.0
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -27,7 +27,10 @@ Source0:        https://github.com/cloudfoundry/cli/archive/refs/tags/v%{version
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        cli-%{version}-vendor.tar.gz
-Patch0:         CVE-2023-44487.patch
+
+# patches for vendored code >= 1000
+Patch1000:      CVE-2023-44487.patch
+Patch1001:      CVE-2021-44716.patch

 BuildRequires:  golang >= 1.18.3
 %global debug_package %{nil}
@ -62,6 +65,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf
 %{_bindir}/cf

 %changelog
+* Mon Feb 05 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 8.4.0-16
+- Patch CVE-2021-44716
+
 * Thu Feb 01 2024 Daniel McIlvaney <damcilva@microsoft.com> - 8.4.0-15
 - Address CVE-2023-44487 by patching vendored golang.org/x/net

--- a/SPECS/csi-driver-lvm/CVE-2021-44716.patch
+++ b/SPECS/csi-driver-lvm/CVE-2021-44716.patch
@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
+++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}	
+ 	return cv
+ }
+ 
--- a/SPECS/csi-driver-lvm/csi-driver-lvm.spec
+++ b/SPECS/csi-driver-lvm/csi-driver-lvm.spec
@ -1,7 +1,7 @@
 Summary:        Container storage interface for logical volume management
 Name:           csi-driver-lvm
 Version:        0.4.1
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -19,6 +19,10 @@ Source0:        https://github.com/metal-stack/%{name}/archive/refs/tags/v%{vers
 #           --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
 #           -cf %%{name}-%%{version}-govendor.tar.gz vendor
 Source1:        %{name}-%{version}-govendor.tar.gz
+
+# patches for vendored code >= 1000
+Patch1000:      CVE-2021-44716.patch
+
 BuildRequires:  golang
 Requires:       %{name}-csi-lvmplugin-provisioner
 Requires:       %{name}-lvmplugin
@ -39,8 +43,12 @@ Summary:        csi-driver-lvm's lvmplugin binary
 lvmplugin collects the size of logical volumes (LV) and free space inside a volume group (VG) from Linux' Logical Volume Manager (LVM).

 %prep
-%autosetup
-%setup -q -T -D -a 1
+%autosetup -N
+
+# Apply vendor before patching
+tar --no-same-owner -xf %{SOURCE1}
+
+%autopatch -p1

 %build
 %make_build
@ -63,6 +71,9 @@ install -D -m0755 bin/lvmplugin %{buildroot}%{_bindir}/
 %{_bindir}/lvmplugin

 %changelog
+* Mon Feb 05 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 0.4.1-15
+- Patch CVE-2021-44716
+
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.4.1-14
 - Bump release to rebuild with go 1.20.9

--- a/SPECS/git-lfs/CVE-2021-44716.patch
+++ b/SPECS/git-lfs/CVE-2021-44716.patch
@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
+++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}	
+ 	return cv
+ }
+ 
--- a/SPECS/git-lfs/git-lfs.spec
+++ b/SPECS/git-lfs/git-lfs.spec
@ -2,7 +2,7 @@
 Summary:       Git extension for versioning large files
 Name:          git-lfs
 Version:       3.1.4
-Release:       16%{?dist}
+Release:       17%{?dist}
 Group:         System Environment/Programming
 Vendor:        Microsoft Corporation
 Distribution:  Mariner
@ -28,7 +28,10 @@ Source0:       https://github.com/git-lfs/git-lfs/archive/v%{version}.tar.gz#/%{
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:       %{name}-%{version}-vendor.tar.gz
-Patch0:        CVE-2023-44487.patch
+
+# patches for vendored code >= 1000
+Patch1000:     CVE-2023-44487.patch
+Patch1001:     CVE-2021-44716.patch

 BuildRequires: golang
 BuildRequires: which
@ -80,6 +83,9 @@ git lfs uninstall
 %{_mandir}/man5/*

 %changelog
+* Mon Feb 05 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 3.1.4-17
+- Patch CVE-2021-44716
+
 * Thu Feb 01 2024 Daniel McIlvaney <damcilva@microsoft.com> - 3.1.4-16
 - Address CVE-2023-44487 by patching vendored golang.org/x/net

--- a/SPECS/jx/CVE-2021-44716.patch
+++ b/SPECS/jx/CVE-2021-44716.patch
@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
+++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}	
+ 	return cv
+ }
+ 
--- a/SPECS/jx/jx.spec
+++ b/SPECS/jx/jx.spec
@ -1,7 +1,7 @@
 Summary:        Command line tool for working with Jenkins X.
 Name:           jx
 Version:        3.2.236
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -27,7 +27,10 @@ Source0:        https://github.com/jenkins-x/jx/archive/v%{version}.tar.gz#/%{na
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        %{name}-%{version}-vendor.tar.gz
-Patch0:         CVE-2023-44487.patch
+
+# patches for vendored code >= 1000
+Patch1000:      CVE-2023-44487.patch
+Patch1001:      CVE-2021-44716.patch

 BuildRequires:  golang >= 1.17.1
 %global debug_package %{nil}
@ -70,6 +73,9 @@ make test && \
 %{_bindir}/jx

 %changelog
+* Mon Feb 05 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 3.2.236-16
+- Patch CVE-2021-44716
+
 * Thu Feb 01 2024 Daniel McIlvaney <damcilva@microsoft.com> -3.2.236-15
 - Address CVE-2023-44487 by patching vendored golang.org/x/net
 - Add unit tests to check section
--- a/SPECS/keda/CVE-2021-44716.patch
+++ b/SPECS/keda/CVE-2021-44716.patch
@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
+++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}	
+ 	return cv
+ }
+ 
--- a/SPECS/keda/keda.spec
+++ b/SPECS/keda/keda.spec
@ -1,7 +1,7 @@
 Summary:        Kubernetes-based Event Driven Autoscaling
 Name:           keda
 Version:        2.4.0
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -29,7 +29,10 @@ Source1:        %{name}-%{version}-vendor-v2.tar.gz
 # Patches the version of client_golang used in the vendored source. Should be applied before creating the vendored tarball.
 # Can be removed if we upgrade keda to 2.6.0 or later.
 Patch0:         CVE-2022-21698.patch
-Patch1:         CVE-2023-44487.patch
+
+# patches for vendored code >= 1000
+Patch1000:         CVE-2023-44487.patch
+Patch1001:         CVE-2021-44716.patch

 BuildRequires:  golang >= 1.15

@ -65,6 +68,12 @@ cp ./bin/keda-adapter %{buildroot}%{_bindir}
 %{_bindir}/%{name}-adapter

 %changelog
+* Mon Feb 05 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 2.4.0-18
+- Patch CVE-2021-44716
+
+* Mon Feb 05 2024 Daniel McIlvaney <damcilva@microsoft.com> - 2.4.0-17
+- Address CVE-2023-44487 by patching vendored golang.org/x/net/http2
+
 * Tue Jan 01 2024 Tobias Brick <tobiasb@microsoft.com> - 2.4.0-16
 - Patch CVE-2022-21698
 - Update vendored tarball
--- a/SPECS/moby-cli/CVE-2021-44716.patch
+++ b/SPECS/moby-cli/CVE-2021-44716.patch
@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
+++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}	
+ 	return cv
+ }
+ 
--- a/SPECS/moby-cli/moby-cli.spec
+++ b/SPECS/moby-cli/moby-cli.spec
@ -4,7 +4,7 @@
 Summary: The open-source application container engine client.
 Name: moby-%{upstream_name}
 Version: 20.10.27
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://github.com/docker/cli
@ -14,6 +14,7 @@ Distribution: Mariner
 Source0: https://github.com/docker/cli/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0: CVE-2023-48795.patch
 Patch1: CVE-2022-21698.patch
+Patch2: CVE-2021-44716.patch

 BuildRequires: golang >= 1.16.12
 BuildRequires: make
@ -82,6 +83,9 @@ install -p -m 644 contrib/completion/fish/docker.fish %{buildroot}%{_datadir}/fi
 %{_datadir}/fish/vendor_completions.d/docker.fish

 %changelog
+* Mon Feb 05 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 20.10.27-4
+- Patch CVE-2021-44716
+
 * Fri Feb 02 2024 Tobias Brick <tobiasb@microsoft.com> - 20.10.27-3
 - Patch CVE-2022-21698