nats-servers has CVE-2021-44716

[denis-tingaikin]

See details in https://nvd.nist.gov/vuln/detail/CVE-2021-44716

The problem becomes from https://github.com/nats-io/nats-server/blob/v2.9.0/go.mod#L13

See at https://cs.opensource.google/go/x/crypto/+/c86fa9a7:go.mod;l=6

[kozlovic]

@denis-tingaikin Thank you for the report and we can of course update the go.mod, but the link to the CVE shows:

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

We build with Go 1.19, so do I understand that we would not be affected anyway?

[kozlovic]

The more I look into that, the more I think that this is a non-issue. We were already using a rev that was way past the fix, so I am not sure why you say that the NATS Server has the mentioned CVE...

[kozlovic]

I am now closing this issue since I do believe that our dependencies were updated well past the revision that contained the fix, and also that we were not even affected in the first place.