Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.6 backports 2020-06-30 #12352

Merged
merged 3 commits into from Jul 1, 2020
Merged

v1.6 backports 2020-06-30 #12352

merged 3 commits into from Jul 1, 2020

Conversation

christarazi
Copy link
Member

Once this PR is merged, you can update the PR labels via:

$ for pr in 12328 12343; do contrib/backporting/set-labels.py $pr done 1.6; done

joestringer and others added 3 commits June 30, 2020 17:14
@joestringer @christarazi
endpoint: Inherit context during identity allocation
ff7484c 
[ upstream commit fa8857f ]

Inherit the identity allocation context from the parent function when
calling into identityLabelsChanged(). This function isn't a background
thread, and it receives a context so it should respect the passed
context.

Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
@joestringer @christarazi
endpoint: Use kvstore timeout for undo
5984f24 
[ upstream commit 8bb5382 ]

When there's some kind of late error / failure and a newly allocated
identity must be released, allow the kvstore connectivity timeout to be
customised via the standard kvstore connectivity timeout.

This path may still be called from endpoint create, so it's not
appropriate to block for up to two minutes to attempt to roll back the
identity allocation here.

Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
@jrajahalme @christarazi
envoy: Update to 1.13.3
0906dbf 
[ upstream commit b796665 ]

This fixes the following CVEs for the Envoy version 1.13.x:

- CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.2 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames.

- CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.2 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.

- CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.2 or earlier may exhaust file descriptors and/or memory when accepting too many connections.

- CVE-2020-12604 (CVSS score 5.3, Medium): Envoy through 1.14.2 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi christarazi requested a review from a team as a code owner July 1, 2020 00:15
@christarazi christarazi added backport/1.6 kind/backports This PR provides functionality previously merged into master. labels Jul 1, 2020
@christarazi
Copy link
Member Author

test-backport-1.6

@christarazi
Copy link
Member Author

christarazi commented Jul 1, 2020
edited

Hit known flake: #10446

Otherwise, this should be good to go. Too soon; other tests still running :)

Edit: now it's good to go.

@aanm aanm merged commit 7f8c4dc into v1.6 Jul 1, 2020
@aanm aanm deleted the pr/v1.6-backport-2020-06-30-2 branch July 1, 2020 10:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

Assignees
No one assigned
Labels
kind/backports This PR provides functionality previously merged into master.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@christarazi @joestringer @aanm @jrajahalme