Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.6 backports 2020-06-30 #12352

Merged
merged 3 commits into from Jul 1, 2020
Merged

v1.6 backports 2020-06-30 #12352

merged 3 commits into from Jul 1, 2020

Commits on Jul 1, 2020

  1. endpoint: Inherit context during identity allocation 

    [ upstream commit fa8857f ]

Inherit the identity allocation context from the parent function when
calling into identityLabelsChanged(). This function isn't a background
thread, and it receives a context so it should respect the passed
context.

Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
    @joestringer @christarazi
    joestringer authored and christarazi committed Jul 1, 2020
    Configuration menu
    Copy the full SHA
    ff7484c View commit details
    Browse the repository at this point in the history

  2. endpoint: Use kvstore timeout for undo 

    [ upstream commit 8bb5382 ]

When there's some kind of late error / failure and a newly allocated
identity must be released, allow the kvstore connectivity timeout to be
customised via the standard kvstore connectivity timeout.

This path may still be called from endpoint create, so it's not
appropriate to block for up to two minutes to attempt to roll back the
identity allocation here.

Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
    @joestringer @christarazi
    joestringer authored and christarazi committed Jul 1, 2020
    Configuration menu
    Copy the full SHA
    5984f24 View commit details
    Browse the repository at this point in the history

  3. envoy: Update to 1.13.3 

    [ upstream commit b796665 ]

This fixes the following CVEs for the Envoy version 1.13.x:

- CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.2 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames.

- CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.2 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.

- CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.2 or earlier may exhaust file descriptors and/or memory when accepting too many connections.

- CVE-2020-12604 (CVSS score 5.3, Medium): Envoy through 1.14.2 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
    @jrajahalme @christarazi
    jrajahalme authored and christarazi committed Jul 1, 2020
    Configuration menu
    Copy the full SHA
    0906dbf View commit details
    Browse the repository at this point in the history