x/vulndb: add reports/GO-2022-0233.yaml for CVE-2021-23409
Fixes golang/vulndb#0233
Change-Id: I568a716afa8838cf78249b3cb13308a50908dbad
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/415534
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
diff --git a/reports/GO-2022-0233.yaml b/reports/GO-2022-0233.yaml
new file mode 100644
index 0000000..37b1ab3
--- /dev/null
+++ b/reports/GO-2022-0233.yaml
@@ -0,0 +1,25 @@
+packages:
+ - module: github.com/pires/go-proxyproto
+ symbols:
+ - Listener.Accept
+ versions:
+ - fixed: 0.6.1
+ vulnerable_at: 0.5.0
+description: |
+ The PROXY protocol server does not impose a timeout on reading the header
+ from new connections, allowing a malicious client to cause resource
+ exhaustion and a denial of service by opening many connections and
+ sending no data on them.
+
+ v0.6.0 of the proxyproto package adds support for a user-defined
+ header timeout. v0.6.1 adds a default timeout of 200ms and v0.6.2
+ increases the default timeout to 10s.
+cves:
+ - CVE-2021-23409
+ghsas:
+ - GHSA-xcf7-q56x-78gh
+links:
+ pr: https://github.com/pires/go-proxyproto/pull/74
+ commit: https://github.com/pires/go-proxyproto/pull/74/commits/cdc63867da24fc609b727231f682670d0d1cd346
+ context:
+ - https://github.com/pires/go-proxyproto/issues/65
