New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-21584: UPSTREAM: 121128: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 #1757
Conversation
@ncdc: the contents of this pull request could be automatically validated. The following commits are valid:
Comment |
@ncdc: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
Comment |
/retest |
staging/src/k8s.io/api/go.mod
Outdated
@@ -38,16 +37,7 @@ require ( | |||
) | |||
|
|||
replace ( | |||
github.com/google/cadvisor => github.com/openshift/google-cadvisor v0.47.3-openshift-4.15-1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This shouldn't have happened. I'm going to try to pull locally and see if I get a different result.
the go.mod doesn't look quite right here. See if #1763 looks closer to the upstream and passes verify. |
/retest |
Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487. Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
@ncdc: the contents of this pull request could be automatically validated. The following commits are valid:
Comment |
/retest |
1 similar comment
/retest |
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for the API server when the client is unauthenticated. The changes to util/runtime are required because otherwise a large number of requests can get blocked on the time.Sleep calls. For unauthenticated clients (either via 401 or the anonymous user), we simply no longer allow such clients to hold open http2 connections. They can use http2, but with the performance of http1 (with keep-alive disabled). Since this change has the potential to cause issues, the UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to remove this protection (it is enabled by default). For example, when the API server is fronted by an L7 load balancer that is set up to mitigate http2 attacks, unauthenticated clients could force disable connection reuse between the load balancer and the API server (many incoming connections could share the same backend connection). An API server that is on a private network may opt to disable this protection to prevent performance regressions for unauthenticated clients. For all other clients, we rely on the golang.org/x/net fix in golang/net@b225e7c That change is not sufficient to adequately protect against a motivated client - future changes to Kube and/or golang.org/x/net will be explored to address this gap. The Kube API server now uses a max stream of 100 instead of 250 (this matches the Go http2 client default). This lowers the abuse limit from 1000 to 400. Signed-off-by: Monis Khan <mok@microsoft.com> (cherry picked from commit 238d89c)
…http1 tests These occasionally flake on CI: https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312 === Failed === FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s) authentication_test.go:653: expect TCP connection: 1, actual: 2 --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s) === FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s) --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s) === FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s) Signed-off-by: Monis Khan <mok@microsoft.com> (cherry picked from commit 9fa4bdf)
@ncdc: the contents of this pull request could be automatically validated. The following commits are valid:
Comment |
/lgtm |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, ncdc, tkashem The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/override ci/prow/unit |
@soltysh: Overrode contexts on behalf of soltysh: ci/prow/unit In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
e2e-gcp transient failure - error building rpms
/test e2e-gcp |
e2e-gcp-ovn-upgrade has multiple failures
|
/test e2e-gcp-ovn-upgrade |
aws-ovn-serial failed due to quay outage |
/override ci/prow/e2e-gcp-ovn-upgrade multiple observations
|
@deads2k: Overrode contexts on behalf of deads2k: ci/prow/e2e-gcp-ovn-upgrade In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@ncdc: This pull request references Jira Issue OCPBUGS-21584, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@ncdc: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@ncdc: Jira Issue OCPBUGS-21584: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-21584 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Fix included in accepted release 4.15.0-0.nightly-2023-10-17-065657 |
@dgrisonnet it's marked |
Yes but the part where we change UnauthenticatedHTTP2DOSMitigation to be default=true, should be a separate commit with UPSTREAM to make it easier to distinguish from the initial upstream commit. |
It is separate. The commit the changes the default to false was intentionally not cherry-picked, so we end up with the default of true. But I see your point. I guess a better approach would have been to pick the commit, then revert it with a |
Yeah we could've done it that way. When I made the patch in our k8s.io/apiserver fork, I treated both commits as one PR and squashed them together under UPSTREAM: 121120 and then added a |
/kind bug
What this PR does / why we need it:
Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: