Skip to content

Upstream Sync Report 2026-07-03: Security fixes (CVE-2026-33814, CVE-2026-56853), quic-go v0.60.0, 70+ upstream commits #502

Description

@imroc

Upstream Sync Report — 2026-07-03

This is an automated report from the Upstream Sync Tracking Loop. It summarizes upstream changes in Go stdlib net/http, golang.org/x/net/http2, and quic-go since the last baselines.

Current Baselines (before this run)

  • Go stdlib net/http: 2024-09-10 (ad6ee2)
  • golang.org/x/net/http2: 2024-09-06 (3c333c)
  • quic-go: v0.59.0

New Baselines (after this run)

  • Go stdlib net/http: 2026-07-02 (aa44f96)
  • golang.org/x/net/http2: 2026-07-01 (bd5f1dc)
  • quic-go: v0.60.0 (released 2026-06-06)

1. Go stdlib net/http — 35 commits since baseline

Security Fixes (7 commits)

Date Hash Description
Jul 1, 2026 1952e61 CVE-2026-56853 — Header timeout not applied to server's HTTP/2 preface read. (Later reverted in 821f3ff for rc2 consistency, expected back in rc3.)
Jul 2, 2026 3d3798e HTTP/2 trailers exceeding MaxResponseHeaderBytes were silently truncated instead of returning an error.
Jun 18, 2026 cabdf7f Header injection via trailers — Trailer names like X-Trailer\r\nInjected: 1 were copied verbatim, allowing header injection. Now validates via httpguts.ValidHeaderFieldName/ValidHeaderFieldValue.
Jun 4, 2026 3f9d49f Sensitive header leakage on redirect — Punycode manipulation via proxy Host header could bypass header stripping on cross-host redirects. Now uses raw Punycode.
Jun 9, 2026 e95518b HTTP/2: Non-identical duplicate Content-Length headers were silently accepted (RFC 9112 violation).
Jun 17, 2026 b6a3601 HTTP/2: Server SETTINGS frames not validated against flow control limits.
May 13, 2026 7601c4b HTTP/2: Accepted malformed requests with END_STREAM + non-zero Content-Length.
Jun 29, 2026 06bb174 Server hangs draining request body when Expect: 100-continue and server rejects early.

Breaking / Behavior Changes (6 commits)

Date Hash Description
Jul 1, 2026 d90bf6d New Server.MaxHeaderValueCount setting (default 500).
Jun 18, 2026 cabdf7f Trailer validation now errors instead of sanitizing CR/LF.
Jun 9, 2026 e95518b HTTP/2 rejects duplicate Content-Length with different values.
Jun 23, 2026 57f9a58 Redirect now preserves RawPath escaping (prevents double-escaping).
May 8, 2026 15b9fc2 Transport can negotiate HTTP/2 with non-*tls.Conn connections (previously server-only).
Jun 29, 2026 9a92465 Reverted ReverseProxy body wrapping (noopCloseReader caused second-order issues).

Transport/Other Fixes

  • 5005a20 — gzipReader concurrent Read/Close deadlock fix
  • ea0da40 — HTTP/2 client conn closure on GOAWAY with zero in-flight requests
  • 96736b8 — Case-insensitive shouldCopyHeaderOnRedirect for ASCII

HTTP/3 Preparation

~12 commits address HTTP/3 test fixes (issues #78737, #70914), indicating active HTTP/3 stabilization work in stdlib.


2. golang.org/x/net/http2 — 35 commits since baseline

Security Fixes (4 commits)

Date Hash CVE/Issue Description
Apr 1, 2026 1e71bd8 CVE-2026-33814 / #78476 Transport hangs on malformed SETTINGS frame.
Feb 18, 2026 19f580f #77652 Nil panic on unassigned frame types (e.g., ALTSVC 0x0a) — DoS.
Feb 3, 2026 64b3af9 #77331 Transport deadlock from WINDOW_UPDATE exceeding 2^31-1 limit.
Apr 30, 2026 4c78867 #70914 HTTP/3: invalid characters in response headers not rejected.

Major Architectural Change — Go 1.27 Wrapping (8 commits)

Starting May 2026, x/net/http2 now wraps net/http's built-in HTTP/2 when built with Go 1.27+ (49810da). Key implications:

  • x/net/http2 becomes a thin wrapper, not a standalone implementation
  • Use -tags=http2legacy to revert to old behavior
  • h2c package deprecated (6c6f714)
  • Write schedulers deprecated (8afa12f): NewPriorityWriteScheduler, NewRandomWriteScheduler, PriorityWriteSchedulerConfig
  • Minimum Go version raised to 1.25.0 (29181b8)

Transport/Frame Fixes

  • bd5f1dc — Missing Transport init on NewClientConn
  • 42abb85 — Silent HTTP/1.1 downgrade in wrap configureTransport
  • 008e5e7 — Missing ALPN registration in wrap configureServer
  • 3eb9327 — No retry after RST_STREAM PROTOCOL_ERROR
  • f207862DisableClientPriority field added
  • 8f003b3SETTINGS_NO_RFC7540_PRIORITIES support

3. quic-go — 2 releases since baseline

v0.59.1 (2026-05-11) — Patch Release

  • Backports #5642: HTTP/3 trailer validation.

v0.60.0 (2026-06-06) — Minor Release

Breaking Change:

  • Requires Go 1.25+ (dropped Go 1.24). Uses sync.WaitGroup.Go and other Go 1.25 features.

New Feature — FIPS 140-3 Support:

  • FIPS 140-3 compliant when built with Go 1.26+ and Go Cryptographic Module
  • Switched to stdlib crypto/hkdf for QUIC HKDF
  • Uses stdlib TLS 1.3 AES-GCM for QUIC packet protection AEADs
  • cipher.NewGCMWithRandomNonce for address validation token encryption
  • ChaCha20-Poly1305 guarded to not run in FIPS mode

Notable Fixes:

  • Path probe packets now pass OOB data (correct network interface selection)
  • Stream/SendStream context cancelled when connection closes
  • http3: Validate Extended CONNECT :protocol pseudo-header
  • http3: Always set http.Request.Scheme and http.Request.Host
  • http3: Nil pointer dereference when Server.Logger is unset
  • OpenStreamSync returns context error on cancellation
  • Maximum datagram size estimation fix after MTU discovery

Impact Assessment for req

High Priority — Security Fixes to Port

  1. Header injection via trailers (cabdf7f) — req's modified transfer.go/response.go likely affected
  2. Sensitive header leakage on redirect (3f9d49f, 96736b8) — req's redirect logic in client.go/request.go may need equivalent fix
  3. HTTP/2 trailer truncation (3d3798e) — req's internal/http2/ modified code
  4. CVE-2026-33814 (1e71bd8) — HTTP/2 Transport hang on bad SETTINGS — req's internal/http2/
  5. HTTP/2 WINDOW_UPDATE deadlock (64b3af9) — req's internal/http2/
  6. Nil panic on unassigned frame types (19f580f) — req's internal/http2/ frame parser
  7. HTTP/2 flow limit validation (b6a3601) — req's internal/http2/
  8. Duplicate Content-Length rejection (e95518b) — req's internal/http2/ and transport.go
  9. END_STREAM + Content-Length rejection (7601c4b) — req's internal/http2/

Medium Priority — Behavior Changes

  1. Redirect RawPath escaping (57f9a58) — req's redirect handling
  2. Server.MaxHeaderValueCount (d90bf6d) — new server-side setting (may not apply to client-only req)
  3. HTTP/2 GOAWAY with zero in-flight (ea0da40) — req already has GOAWAY retry logic (fix: retry on GOAWAY errors when using cached HTTP/2 connections #491)
  4. gzipReader deadlock (5005a20) — req's modified transfer code

quic-go v0.60.0 Upgrade

  • Go 1.25+ requirement aligns with req's existing Go 1.25+ minimum — no conflict
  • FIPS 140-3 support is opt-in (requires Go 1.26+ and Go Crypto Module)
  • http3 fixes (nil pointer, scheme/host, :protocol validation) are directly relevant to req's internal/http3/
  • Trailer validation backport in v0.59.1 should also be synced

x/net/http2 Go 1.27 Wrapping

  • The wrapping architecture is a future concern — only relevant when req upgrades to Go 1.27+
  • req uses its own modified internal/http2/, so the wrapping change doesn't directly apply
  • However, deprecation of write schedulers and h2c should be noted for future planning

Recommended Actions

  1. Port security fixes from stdlib net/http and x/net/http2 to req's modified files (highest priority)
  2. Upgrade quic-go from v0.59.0 → v0.60.0 in internal/http3/ (port the http3 fixes and FIPS changes)
  3. Full diff sync of all modified files per the CODEBUDDY.md mandatory sync flow:
    • diff -rq each modified file against upstream
    • Port all non-test changes
    • List inapplicable upstream changes (server-side logic) with reasons
    • go build ./... + go test ./... must pass
  4. Consider adding redirect header-stripping tests to prevent Punycode bypass regression

This issue was auto-generated by the Upstream Sync Tracking Loop. Sync of modified code requires manual human work per project conventions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    http2Involves HTTP/2 or internal/http2 modified codemodified-stdlibInvolves modified Go stdlib files (transport.go, transfer.go, etc.)priority:highData loss, memory leak, or panic in productionquic-goInvolves quic-go, HTTP/3, or internal/http3 modified codesecuritySecurity vulnerability or concern

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions