diff --git a/SPECS/jx/CVE-2023-45288.patch b/SPECS/jx/CVE-2023-45288.patch deleted file mode 100644 index 4d53dfb5125..00000000000 --- a/SPECS/jx/CVE-2023-45288.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001 -From: Damien Neil -Date: Wed, 10 Jan 2024 13:41:39 -0800 -Subject: [PATCH] http2: close connections when receiving too many headers - -Maintaining HPACK state requires that we parse and process -all HEADERS and CONTINUATION frames on a connection. -When a request's headers exceed MaxHeaderBytes, we don't -allocate memory to store the excess headers but we do -parse them. This permits an attacker to cause an HTTP/2 -endpoint to read arbitrary amounts of data, all associated -with a request which is going to be rejected. - -Set a limit on the amount of excess header frames we -will process before closing a connection. - -Thanks to Bartek Nowotarski for reporting this issue. - -Fixes CVE-2023-45288 -Fixes golang/go#65051 - -Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 -Reviewed-by: Roland Shoemaker -Reviewed-by: Tatiana Bradley -Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 -Reviewed-by: Dmitri Shuralyov -Auto-Submit: Dmitri Shuralyov -Reviewed-by: Than McIntosh -LUCI-TryBot-Result: Go LUCI ---- - vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go -index c1f6b90..175c154 100644 ---- a/vendor/golang.org/x/net/http2/frame.go -+++ b/vendor/golang.org/x/net/http2/frame.go -@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { - if size > remainSize { - hdec.SetEmitEnabled(false) - mh.Truncated = true -+ remainSize = 0 - return - } - remainSize -= size -@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { - var hc headersOrContinuation = hf - for { - frag := hc.HeaderBlockFragment() -+ -+ // Avoid parsing large amounts of headers that we will then discard. -+ // If the sender exceeds the max header list size by too much, -+ // skip parsing the fragment and close the connection. -+ // -+ // "Too much" is either any CONTINUATION frame after we've already -+ // exceeded the max header list size (in which case remainSize is 0), -+ // or a frame whose encoded size is more than twice the remaining -+ // header list bytes we're willing to accept. -+ if int64(len(frag)) > int64(2*remainSize) { -+ if VerboseLogs { -+ log.Printf("http2: header list too large") -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ -+ // Also close the connection after any CONTINUATION frame following an -+ // invalid header, since we stop tracking the size of the headers after -+ // an invalid one. -+ if invalid != nil { -+ if VerboseLogs { -+ log.Printf("http2: invalid header: %v", invalid) -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ - if _, err := hdec.Write(frag); err != nil { - return nil, ConnectionError(ErrCodeCompression) - } diff --git a/SPECS/jx/jx.signatures.json b/SPECS/jx/jx.signatures.json index 9f42c125e79..4a4b3a9c3e7 100644 --- a/SPECS/jx/jx.signatures.json +++ b/SPECS/jx/jx.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "jx-3.10.116-vendor.tar.gz": "9e0cc830222cc289a928b684201c6cd3793f60637a4e47a7cbde00076792c94d", - "jx-3.10.116.tar.gz": "55b14b4f4189f91f481387f8ad9617c37deb859d824c246e817040b740de7d76" + "jx-3.10.182-vendor.tar.gz": "47bcb18176e44be2c7ffb3666b04d6e5cbaeea93bc3fe6c5fcb974086abe00b4", + "jx-3.10.182.tar.gz": "2abfc9432773007e7c17f78c44ad03aa5b9a6bf8a0118d44bf97a230c1ebd1fb" } } diff --git a/SPECS/jx/jx.spec b/SPECS/jx/jx.spec index 83f607b5972..fd935795b9b 100644 --- a/SPECS/jx/jx.spec +++ b/SPECS/jx/jx.spec @@ -1,7 +1,7 @@ Summary: Command line tool for working with Jenkins X. Name: jx -Version: 3.10.116 -Release: 2%{?dist} +Version: 3.10.182 +Release: 1%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -27,7 +27,6 @@ Source0: https://github.com/jenkins-x/jx/archive/v%{version}.tar.gz#/%{na # See: https://reproducible-builds.org/docs/archives/ # - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. Source1: %{name}-%{version}-vendor.tar.gz -Patch0: CVE-2023-45288.patch BuildRequires: golang >= 1.17.1 %global debug_package %{nil} @@ -63,6 +62,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./build/jx %{_bindir}/jx %changelog +* Thu Feb 13 2025 CBL-Mariner Servicing Account - 3.10.182-1 +- Auto-upgrade to 3.10.182 - Fix CVE-2023-39325 and CVE-2023-44487 in jx + * Thu Aug 22 2024 Sumedh Sharma - 3.10.116-2 - Add patch to resolve CVE-2023-45288 diff --git a/cgmanifest.json b/cgmanifest.json index a265278f650..c66596202d8 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -8061,8 +8061,8 @@ "type": "other", "other": { "name": "jx", - "version": "3.10.116", - "downloadUrl": "https://github.com/jenkins-x/jx/archive/v3.10.116.tar.gz" + "version": "3.10.182", + "downloadUrl": "https://github.com/jenkins-x/jx/archive/v3.10.182.tar.gz" } } },