diff --git a/SPECS/flannel/CVE-2021-44716.patch b/SPECS/flannel/CVE-2021-44716.patch new file mode 100644 index 00000000000..5c871692014 --- /dev/null +++ b/SPECS/flannel/CVE-2021-44716.patch @@ -0,0 +1,50 @@ +Parent: db4efeb8 (http2: deflake TestTransportGroupsPendingDials) +Author: Damien Neil +AuthorDate: 2021-12-06 14:31:43 -0800 +Commit: Filippo Valsorda +CommitDate: 2021-12-09 12:49:13 +0000 + +http2: cap the size of the server's canonical header cache + +The HTTP/2 server keeps a per-connection cache mapping header keys +to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the +maximum size of this cache to prevent a peer sending many unique +header keys from causing unbounded memory growth. + +Cap chosen arbitrarily at 32 entries. Since this cache does not +include common headers (e.g., "content-type"), 32 seems like more +than enough for almost all normal uses. + +Fixes #50058 +Fixes CVE-2021-44716 + +Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827 +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/net/+/369794 +Trust: Filippo Valsorda +Run-TryBot: Filippo Valsorda +Trust: Damien Neil +Reviewed-by: Russ Cox +Reviewed-by: Filippo Valsorda +TryBot-Result: Gopher Robot + +diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go +--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go 2024-02-05 08:53:30.802532951 -0800 ++++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go 2024-02-05 09:19:08.473430121 -0800 +@@ -720,7 +720,15 @@ + sc.canonHeader = make(map[string]string) + } + cv = http.CanonicalHeaderKey(v) +- sc.canonHeader[v] = cv ++ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of ++ // entries in the canonHeader cache. This should be larger than the number ++ // of unique, uncommon header keys likely to be sent by the peer, while not ++ // so high as to permit unreaasonable memory usage if the peer sends an unbounded ++ // number of unique header keys. ++ const maxCachedCanonicalHeaders = 32 ++ if len(sc.canonHeader) < maxCachedCanonicalHeaders { ++ sc.canonHeader[v] = cv ++ } + return cv + } diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec index e2239921e12..62540610585 100644 --- a/SPECS/flannel/flannel.spec +++ b/SPECS/flannel/flannel.spec @@ -4,7 +4,7 @@ Summary: Simple and easy way to configure a layer 3 network fabric designed for Kubernetes Name: flannel Version: 0.14.0 -Release: 20%{?dist} +Release: 21%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -12,6 +12,7 @@ Group: System Environment/Libraries URL: https://github.com/flannel-io/flannel #Source0: https://github.com/flannel-io/flannel/archive/refs/tags/v0.14.0.tar.gz Source0: %{name}-%{version}.tar.gz +Patch0: CVE-2021-44716.patch BuildRequires: gcc BuildRequires: glibc-devel @@ -48,6 +49,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld %{_bindir}/flanneld %changelog +* Mon Feb 05 2024 Osama Esmail - 0.14.0-21 +- Patching CVE-2021-44716 + * Wed Oct 18 2023 Minghe Ren - 0.14.0-20 - Bump release to rebuild against glibc 2.35-6