Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCPBUGS-21498: [release-4.10] UPSTREAM: <carry>: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 #1762

Merged
merged 4 commits into from Oct 14, 2023

Conversation

ncdc
Copy link

@ncdc ncdc commented Oct 11, 2023

/kind bug

What this PR does / why we need it:

Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Address CVE-2023-44487 and CVE-2023-39325 for all components that serve HTTP/2.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 11, 2023
@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Oct 11, 2023
@ncdc
Copy link
Author

ncdc commented Oct 11, 2023

/retest

Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Oct 12, 2023
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@jupierce
Copy link

/retest all

@openshift-ci
Copy link

openshift-ci bot commented Oct 13, 2023

@jupierce: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

  • /test artifacts
  • /test configmap-scale
  • /test e2e-aws-downgrade
  • /test e2e-aws-fips
  • /test e2e-aws-jenkins
  • /test e2e-aws-serial
  • /test e2e-aws-upgrade
  • /test e2e-azure-upgrade
  • /test e2e-gcp
  • /test e2e-gcp-upgrade
  • /test images
  • /test integration
  • /test k8s-e2e-conformance-aws
  • /test k8s-e2e-gcp
  • /test k8s-e2e-gcp-serial
  • /test unit
  • /test verify
  • /test verify-commits

The following commands are available to trigger optional jobs:

  • /test e2e-agnostic-cmd
  • /test e2e-aws
  • /test e2e-aws-cgroupsv2
  • /test e2e-aws-crun
  • /test e2e-aws-csi
  • /test e2e-aws-csi-migration
  • /test e2e-aws-disruptive
  • /test e2e-aws-multitenant
  • /test e2e-aws-ovn
  • /test e2e-aws-single-node
  • /test e2e-azure
  • /test e2e-metal-ipi
  • /test e2e-metal-ipi-ovn-dualstack
  • /test e2e-metal-ipi-ovn-ipv6
  • /test e2e-openstack
  • /test e2e-openstack-csi-cinder
  • /test e2e-openstack-csi-manila
  • /test e2e-vsphere
  • /test k8s-e2e-aws
  • /test k8s-e2e-aws-serial
  • /test k8s-e2e-gcp-five-control-plane-replicas

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-openshift-kubernetes-release-4.10-artifacts
  • pull-ci-openshift-kubernetes-release-4.10-e2e-agnostic-cmd
  • pull-ci-openshift-kubernetes-release-4.10-e2e-aws-cgroupsv2
  • pull-ci-openshift-kubernetes-release-4.10-e2e-aws-crun
  • pull-ci-openshift-kubernetes-release-4.10-e2e-aws-csi
  • pull-ci-openshift-kubernetes-release-4.10-e2e-aws-fips
  • pull-ci-openshift-kubernetes-release-4.10-e2e-aws-serial
  • pull-ci-openshift-kubernetes-release-4.10-e2e-gcp
  • pull-ci-openshift-kubernetes-release-4.10-e2e-gcp-upgrade
  • pull-ci-openshift-kubernetes-release-4.10-e2e-openstack-csi-manila
  • pull-ci-openshift-kubernetes-release-4.10-images
  • pull-ci-openshift-kubernetes-release-4.10-integration
  • pull-ci-openshift-kubernetes-release-4.10-k8s-e2e-aws
  • pull-ci-openshift-kubernetes-release-4.10-k8s-e2e-aws-serial
  • pull-ci-openshift-kubernetes-release-4.10-k8s-e2e-conformance-aws
  • pull-ci-openshift-kubernetes-release-4.10-k8s-e2e-gcp
  • pull-ci-openshift-kubernetes-release-4.10-k8s-e2e-gcp-serial
  • pull-ci-openshift-kubernetes-release-4.10-unit
  • pull-ci-openshift-kubernetes-release-4.10-verify
  • pull-ci-openshift-kubernetes-release-4.10-verify-commits

In response to this:

/retest all

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@deads2k
Copy link

deads2k commented Oct 13, 2023

Checked the patch. diff looks well reconciled.

/lgtm
/approve

@deads2k
Copy link

deads2k commented Oct 13, 2023

/hold

holding so that we don't automatically retest jobs that won't succeed. Once resolved, feel free to remove hold.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 13, 2023
@jupierce
Copy link

/test all

@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 13, 2023
@jupierce
Copy link

/retest

@deads2k deads2k added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. backports/validated-commits Indicates that all commits come to merged upstream PRs. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. labels Oct 13, 2023
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
golang/net@b225e7c
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>
(cherry picked from commit d40f08f)
… http1 tests

These occasionally flake on CI:

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312

=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
    authentication_test.go:653: expect TCP connection: 1, actual: 2
        --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
    --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)

Signed-off-by: Monis Khan <mok@microsoft.com>
(cherry picked from commit 2029344)
Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
@openshift-ci-robot openshift-ci-robot added backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. and removed backports/validated-commits Indicates that all commits come to merged upstream PRs. labels Oct 13, 2023
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 13, 2023
Adjust test that was added to work with go 1.18

Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
(cherry picked from commit 61fc003)
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@deads2k
Copy link

deads2k commented Oct 13, 2023

/lgtm

@deads2k
Copy link

deads2k commented Oct 13, 2023

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 13, 2023
@deads2k deads2k added backports/validated-commits Indicates that all commits come to merged upstream PRs. and removed backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. labels Oct 13, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 13, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, ncdc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 13, 2023
@ncdc ncdc changed the title [release-4.10] UPSTREAM: <carry>: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 OCPBUGS-21498: [release-4.10] UPSTREAM: <carry>: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 Oct 13, 2023
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Oct 13, 2023
@openshift-ci-robot
Copy link

@ncdc: This pull request references Jira Issue OCPBUGS-21498, which is invalid:

  • expected Jira Issue OCPBUGS-21498 to depend on a bug targeting a version in 4.11.0, 4.11.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Retaining the jira/valid-bug label as it was manually added.

In response to this:

/kind bug

What this PR does / why we need it:

Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Address CVE-2023-44487 and CVE-2023-39325 for all components that serve HTTP/2.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ncdc
Copy link
Author

ncdc commented Oct 13, 2023

/test k8s-e2e-gcp-serial

@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 26fdcdf and 2 for PR HEAD c18ec89 in total

@jupierce
Copy link

/retest

3 similar comments
@jupierce
Copy link

/retest

@jupierce
Copy link

/retest

@jupierce
Copy link

/retest

@deads2k
Copy link

deads2k commented Oct 14, 2023

/override ci/prow/k8s-e2e-gcp

Passed each test at least once

@openshift-ci
Copy link

openshift-ci bot commented Oct 14, 2023

@deads2k: Overrode contexts on behalf of deads2k: ci/prow/k8s-e2e-gcp

In response to this:

/override ci/prow/k8s-e2e-gcp

Passed each test at least once

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot merged commit 9d53ff0 into openshift:release-4.10 Oct 14, 2023
20 of 21 checks passed
@openshift-ci-robot
Copy link

@ncdc: Jira Issue OCPBUGS-21498: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-21498 has been moved to the MODIFIED state.

In response to this:

/kind bug

What this PR does / why we need it:

Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Address CVE-2023-44487 and CVE-2023-39325 for all components that serve HTTP/2.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot
Copy link

Fix included in accepted release 4.10.0-0.nightly-2023-10-14-170434

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. backports/validated-commits Indicates that all commits come to merged upstream PRs. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. vendor-update Touching vendor dir or related files
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet