[UNDERTOW-2405][UNDERTOW-2391][UNDERTOW-2407][UNDERTOW-2408][UNDERTOW-2334] CVE-2024-27316 CVE-2023-5685 CVE-2024-6162 Backport bug fixes to 2.2.x #1612
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…er of connections and the length of header frames in the server. The number of connections is now limited by the system property io.undertow.max-connections-per-listener, whose default value is 100. Also, the length of the header was already being partially controlled by MAX_HEADER_SIZE. Now that value has the default max header size enforced by Http2Channel. Signed-off-by: Flavia Rainone <frainone@redhat.com>
…r config, we can use high and low watermarks for this This reverts commit c27c1e4. Signed-off-by: Flavia Rainone <frainone@redhat.com>
fl4via
added
waiting CI check
fl4via
force-pushed
the
2.2.x_backport-bug-fixes
branch
5 times, most recently
from
d265aa6
to
1a95cd1
Compare
…p2-max-header-size, for configuring the maximum size of HTTP2 header sizes, default value set to 20000 Add a test for that new configuration and update affected tests accordingly. Also: add TODO place holders for new config Undertow.HTTP2_MAX_HEADER_SIZE to be added in Undertow 2.4.0.Final. Signed-off-by: Flavia Rainone <frainone@redhat.com>
…uses more data is PROTOCOL_ERROR This makes this code consistent with the handling of headers that surpass the max header size limit elsewhere in HTTP2 (see Http2HeaderBlockParser.emitHeader), and the justification is that the max header size must have been handshaken with the peer as part of settings frame, via the SETTINGS_HEADER_TABLE_SIZE parameter. Signed-off-by: Flavia Rainone <frainone@redhat.com>
Signed-off-by: Flavia Rainone <frainone@redhat.com>
Signed-off-by: Flavia Rainone <frainone@redhat.com>
Signed-off-by: Flavia Rainone <frainone@redhat.com>
…er StringBuilder instance between requests Signed-off-by: Flavia Rainone <frainone@redhat.com>
fl4via
added
waiting CI check
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Jira:
https://issues.redhat.com/browse/UNDERTOW-2405
https://issues.redhat.com/browse/UNDERTOW-2391
https://issues.redhat.com/browse/UNDERTOW-2407
https://issues.redhat.com/browse/UNDERTOW-2408
https://issues.redhat.com/browse/UNDERTOW-2334