diff --git a/SPECS/local-path-provisioner/CVE-2021-44716.patch b/SPECS/local-path-provisioner/CVE-2021-44716.patch new file mode 100644 index 00000000000..5c871692014 --- /dev/null +++ b/SPECS/local-path-provisioner/CVE-2021-44716.patch @@ -0,0 +1,50 @@ +Parent: db4efeb8 (http2: deflake TestTransportGroupsPendingDials) +Author: Damien Neil +AuthorDate: 2021-12-06 14:31:43 -0800 +Commit: Filippo Valsorda +CommitDate: 2021-12-09 12:49:13 +0000 + +http2: cap the size of the server's canonical header cache + +The HTTP/2 server keeps a per-connection cache mapping header keys +to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the +maximum size of this cache to prevent a peer sending many unique +header keys from causing unbounded memory growth. + +Cap chosen arbitrarily at 32 entries. Since this cache does not +include common headers (e.g., "content-type"), 32 seems like more +than enough for almost all normal uses. + +Fixes #50058 +Fixes CVE-2021-44716 + +Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827 +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/net/+/369794 +Trust: Filippo Valsorda +Run-TryBot: Filippo Valsorda +Trust: Damien Neil +Reviewed-by: Russ Cox +Reviewed-by: Filippo Valsorda +TryBot-Result: Gopher Robot + +diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go +--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go 2024-02-05 08:53:30.802532951 -0800 ++++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go 2024-02-05 09:19:08.473430121 -0800 +@@ -720,7 +720,15 @@ + sc.canonHeader = make(map[string]string) + } + cv = http.CanonicalHeaderKey(v) +- sc.canonHeader[v] = cv ++ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of ++ // entries in the canonHeader cache. This should be larger than the number ++ // of unique, uncommon header keys likely to be sent by the peer, while not ++ // so high as to permit unreaasonable memory usage if the peer sends an unbounded ++ // number of unique header keys. ++ const maxCachedCanonicalHeaders = 32 ++ if len(sc.canonHeader) < maxCachedCanonicalHeaders { ++ sc.canonHeader[v] = cv ++ } + return cv + } diff --git a/SPECS/local-path-provisioner/local-path-provisioner.spec b/SPECS/local-path-provisioner/local-path-provisioner.spec index 8b59d743caf..fdfeb5a48e5 100644 --- a/SPECS/local-path-provisioner/local-path-provisioner.spec +++ b/SPECS/local-path-provisioner/local-path-provisioner.spec @@ -1,7 +1,7 @@ Summary: Provides a way for the Kubernetes users to utilize the local storage in each node Name: local-path-provisioner Version: 0.0.21 -Release: 14%{?dist} +Release: 15%{?dist} License: ASL 2.0 URL: https://github.com/rancher/local-path-provisioner Group: Applications/Text @@ -11,6 +11,7 @@ Source0: https://github.com/rancher/%{name}/archive/refs/tags/v%{version} #Note that the source file should be renamed to the format {name}-%{version}.tar.gz # Fixed in upstream 0.0.24, so we can remove this patch when we upgrade to that version Patch0: CVE-2022-21698.patch +Patch1: CVE-2021-44716.patch BuildRequires: golang @@ -20,6 +21,7 @@ Provides a way for the Kubernetes users to utilize the local storage in each nod %prep %setup -q %patch 0 -p1 -d vendor/github.com/prometheus/client_golang +%patch 1 -p1 %build export CGO_ENABLED=0 @@ -33,6 +35,9 @@ install local-path-provisioner %{buildroot}%{_bindir}/local-path-provisioner %{_bindir}/local-path-provisioner %changelog +* Tue Feb 06 2024 Osama Esmail - 0.0.21-15 +- Fix CVE-2021-44716 + * Wed Jan 31 2024 Tobias Brick - 0.0.21-14 - Fix CVE-2022-21698