Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address GO-2023-2382 #14732

Closed
14 tasks done
dprotaso opened this issue Dec 18, 2023 · 5 comments
Closed
14 tasks done

Address GO-2023-2382 #14732

dprotaso opened this issue Dec 18, 2023 · 5 comments
Assignees
@dprotaso

Comments

@dprotaso
Copy link
Member

dprotaso commented Dec 18, 2023
edited by ReToCode
Loading

From: https://pkg.go.dev/vuln/GO-2023-2382

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

Affects

net/http/internal
before go1.20.12, from go1.21.0-0 before go1.21.5

We'll need to bump the following
@dprotaso
Copy link
Member Author

cc @ReToCode @skonto

/assign @dprotaso

@dprotaso
Copy link
Member Author

Go Version was bumped in Prow here: knative/infra#296

@dprotaso
Copy link
Member Author

prow image was bumped here - knative/infra#297

So Prow is ready to go.

dprotaso added a commit to dprotaso/serving that referenced this issue Dec 18, 2023
@dprotaso
Bump to fix knative#14732
9ffa9d1
dprotaso added a commit to dprotaso/serving that referenced this issue Dec 18, 2023
@dprotaso
Bump to fix knative#14732
49b2374
@dprotaso dprotaso mentioned this issue Dec 18, 2023
Merged
dprotaso added a commit to dprotaso/serving that referenced this issue Dec 18, 2023
@dprotaso
Bump to fix knative#14732
75c014a
This was referenced Dec 18, 2023
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
dprotaso added a commit to dprotaso/serving that referenced this issue Dec 18, 2023
@dprotaso
Bump to fix serving/knative#14732
f4f7b92
knative-prow bot pushed a commit that referenced this issue Dec 18, 2023
@dprotaso
Bump to fix #14732 (#14733)
f1bd929
knative-prow bot pushed a commit that referenced this issue Dec 18, 2023
@dprotaso
[release-1.11] Bump to fix #14732 (#14734)
232d726 
* Bump to fix #14732

* Bump to fix serving/#14732
@skonto
Copy link
Contributor

skonto commented Dec 20, 2023

@dprotaso should we close this one?

@ReToCode
Copy link
Member

+1, as the auto-releases are out.

openshift-merge-bot bot pushed a commit to openshift-knative/serving that referenced this issue Jan 8, 2024
@ReToCode @knative-prow-robot
@KauzClay @nak3 @evankanderson @knative-automation @jsanin-vmw @k4leung4 @dprotaso
[RELEASE-1.11] Sync with upstream release-1.11 (#580)
9bd87d6 
* [release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14378)

* add seccompProfile to queue container security context

* run as non root by default

* update tests to expect new default run as nonroot

---------

Co-authored-by: Clay Kauzlaric <ckauzlaric@vmware.com>

* Leave a comment which will trigger a new dot release (knative#14500)

* [release-1.11] bump x/net to v0.17 (knative#14516)

* [release-1.11] bump x/net to v1.17

* Re-generate test/config/tls/cert-secret.yaml (knative#14324)

* Run hack/update-codegen.sh --upgrade --release 1.11

* Bound buffer for reading stats (knative#14542)

Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>

* upgrade to latest dependencies (knative#14552)

bumping knative.dev/pkg bd99f2f...56bfe0d:
  > 56bfe0d [release-1.11] [CVE-2023-44487] Disable http2 for webhooks (# 2875)
bumping knative.dev/caching 24ff723...ee89f75:
  > ee89f75 upgrade to latest dependencies (# 797)

Signed-off-by: Knative Automation <automation@knative.team>

* Upgrade grpc for addressing GHSA-m425-mq94-257g (knative#14579)

More info at GHSA-m425-mq94-257g

* remove duplicate 'additionalPrinterColumns' (knative#14654)

Signed-off-by: Kenny Leung <kleung@chainguard.dev>
Co-authored-by: Kenny Leung <kleung@chainguard.dev>

* [release-1.11] Bump to fix knative#14732 (knative#14734)

* Bump to fix knative#14732

* Bump to fix serving/knative#14732

* Sync with upstream release-1.11

---------

Signed-off-by: Knative Automation <automation@knative.team>
Signed-off-by: Kenny Leung <kleung@chainguard.dev>
Co-authored-by: Knative Prow Robot <automation+prow-robot@knative.team>
Co-authored-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Co-authored-by: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>
Co-authored-by: Knative Automation <automation@knative.team>
Co-authored-by: Juan Sanin <jsanin@vmware.com>
Co-authored-by: Kenny Leung <kleung@chainguard.dev>
Co-authored-by: Dave Protasowski <dprotaso@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dprotaso dprotaso

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dprotaso @skonto @ReToCode