From 95d35fbf1588aa81968f24447cb93f301572b191 Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Mon, 23 Oct 2023 16:38:31 +0000 Subject: [PATCH] upgrade to latest dependencies bumping knative.dev/pkg d6ab729...29775d7: > 29775d7 [release-1.12] [CVE-2023-44487] Disable http2 for webhooks (# 2876) Signed-off-by: Knative Automation --- go.mod | 2 +- go.sum | 4 ++-- vendor/knative.dev/pkg/webhook/webhook.go | 18 ++++++++++++++++++ vendor/modules.txt | 2 +- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 39088b710..05ccca07c 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f knative.dev/hack v0.0.0-20231016131700-2c938d4918da knative.dev/hack/schema v0.0.0-20231016131700-2c938d4918da - knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 + knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c ) require ( diff --git a/go.sum b/go.sum index 472b0f314..a5ea3efba 100644 --- a/go.sum +++ b/go.sum @@ -682,8 +682,8 @@ knative.dev/hack v0.0.0-20231016131700-2c938d4918da h1:xy+fvuz2LDOMsZ5UwXRaMF70N knative.dev/hack v0.0.0-20231016131700-2c938d4918da/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/hack/schema v0.0.0-20231016131700-2c938d4918da h1:euBj0+2eY7BryoQe6aVg6R40dkbsGHULu6wjBsB3Vf8= knative.dev/hack/schema v0.0.0-20231016131700-2c938d4918da/go.mod h1:3pWwBLnTZSM9psSgCAvhKOHIPTzqfEMlWRpDu6IYhK0= -knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 h1:9AvFZdEtuwKWDcTV1VSwmrgrRR9f38wbIAm+sNwLivQ= -knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ= +knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c h1:xyPoEToTWeBdn6tinhLxXfnhJhTNQt5WzHiTNiFphRw= +knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index 7be0336ac..eff693e80 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -81,6 +81,17 @@ type Options struct { // ControllerOptions encapsulates options for creating a new controller, // including throttling and stats behavior. ControllerOptions *controller.ControllerOptions + + // EnableHTTP2 enables HTTP2 for webhooks. + // Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go + // standard library and golang.org/x/net are fully fixed. + // Right now, it is possible for authenticated and unauthenticated users to + // hold open HTTP2 connections and consume huge amounts of memory. + // See: + // * https://github.com/kubernetes/kubernetes/pull/121120 + // * https://github.com/kubernetes/kubernetes/issues/121197 + // * https://github.com/golang/go/issues/63417#issuecomment-1758858612 + EnableHTTP2 bool } // Operation is the verb being operated on @@ -245,12 +256,19 @@ func (wh *Webhook) Run(stop <-chan struct{}) error { QuietPeriod: wh.Options.GracePeriod, } + // If TLSNextProto is not nil, HTTP/2 support is not enabled automatically. + nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){} + if wh.Options.EnableHTTP2 { + nextProto = nil + } + server := &http.Server{ ErrorLog: log.New(&zapWrapper{logger}, "", 0), Handler: drainer, Addr: fmt.Sprint(":", wh.Options.Port), TLSConfig: wh.tlsConfig, ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 + TLSNextProto: nextProto, } var serve = server.ListenAndServe diff --git a/vendor/modules.txt b/vendor/modules.txt index a61f4abe0..5ff3d8f9c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -839,7 +839,7 @@ knative.dev/hack/schema/commands knative.dev/hack/schema/docs knative.dev/hack/schema/registry knative.dev/hack/schema/schema -# knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 +# knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c ## explicit; go 1.18 knative.dev/pkg/apis knative.dev/pkg/apis/duck