From 6b741688f62d322979948f8d2b2515d18621ae22 Mon Sep 17 00:00:00 2001
From: Tatiana Bradley <tatianabradley@google.com>
Date: Mon, 27 Nov 2023 12:51:12 -0500
Subject: [PATCH] data/reports: update GO-2023-2102.yaml

Move CVE-2023-44487 (catch-all for HTTP/2 rapid reset)
from "cves" to "related".

Updates golang/vulndb#2102

Change-Id: Ic420f27cb55ab46f131957dcf941744aae3e0af0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545204
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 data/osv/GO-2023-2102.json     | 4 +++-
 data/reports/GO-2023-2102.yaml | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/data/osv/GO-2023-2102.json b/data/osv/GO-2023-2102.json
index a1b063b3..be27be82 100644
--- a/data/osv/GO-2023-2102.json
+++ b/data/osv/GO-2023-2102.json
@@ -4,10 +4,12 @@
   "modified": "0001-01-01T00:00:00Z",
   "published": "0001-01-01T00:00:00Z",
   "aliases": [
-    "CVE-2023-44487",
     "CVE-2023-39325",
     "GHSA-4374-p667-p6c8"
   ],
+  "related": [
+    "CVE-2023-44487"
+  ],
   "summary": "HTTP/2 rapid reset can cause excessive work in net/http",
   "details": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.\n\nWith the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.\n\nThis issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.\n\nThe default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.",
   "affected": [
diff --git a/data/reports/GO-2023-2102.yaml b/data/reports/GO-2023-2102.yaml
index 93fadfa8..f0a66114 100644
--- a/data/reports/GO-2023-2102.yaml
+++ b/data/reports/GO-2023-2102.yaml
@@ -57,10 +57,10 @@ description: |-
     The default stream concurrency limit is 250 streams (requests) per HTTP/2
     connection. This value may be adjusted using the golang.org/x/net/http2 package;
     see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
-cves:
-    - CVE-2023-44487
 ghsas:
     - GHSA-4374-p667-p6c8
+related:
+    - CVE-2023-44487
 references:
     - report: https://go.dev/issue/63417
     - fix: https://go.dev/cl/534215