From ca5d919f8a720e4cc2ac0a976e55a13fc12935cb Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Mon, 23 Oct 2023 14:53:43 -0400 Subject: [PATCH] upgrade to latest dependencies (#1203) bumping knative.dev/pkg d6ab729...29775d7: > 29775d7 [release-1.12] [CVE-2023-44487] Disable http2 for webhooks (# 2876) Signed-off-by: Knative Automation --- go.mod | 2 +- go.sum | 4 ++-- vendor/knative.dev/pkg/webhook/webhook.go | 18 ++++++++++++++++++ vendor/modules.txt | 2 +- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index ef4954b2c5..29d2ac44d9 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( k8s.io/client-go v0.28.0 knative.dev/hack v0.0.0-20231016131700-2c938d4918da knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 - knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 + knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c ) require ( diff --git a/go.sum b/go.sum index fb5e47fc21..a6a7b3a3a8 100644 --- a/go.sum +++ b/go.sum @@ -688,8 +688,8 @@ knative.dev/hack v0.0.0-20231016131700-2c938d4918da h1:xy+fvuz2LDOMsZ5UwXRaMF70N knative.dev/hack v0.0.0-20231016131700-2c938d4918da/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 h1:6+1icZuxiZO1paFZ4d/ysKWVG2M4WB7OxNJNyLG0P/E= knative.dev/networking v0.0.0-20231017124814-2a7676e912b7/go.mod h1:1gcHoIVG47ekQWjkddqRq+/7tWRh+CB9W4k/NAcdRbk= -knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 h1:9AvFZdEtuwKWDcTV1VSwmrgrRR9f38wbIAm+sNwLivQ= -knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ= +knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c h1:xyPoEToTWeBdn6tinhLxXfnhJhTNQt5WzHiTNiFphRw= +knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index 7be0336acf..eff693e80d 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -81,6 +81,17 @@ type Options struct { // ControllerOptions encapsulates options for creating a new controller, // including throttling and stats behavior. ControllerOptions *controller.ControllerOptions + + // EnableHTTP2 enables HTTP2 for webhooks. + // Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go + // standard library and golang.org/x/net are fully fixed. + // Right now, it is possible for authenticated and unauthenticated users to + // hold open HTTP2 connections and consume huge amounts of memory. + // See: + // * https://github.com/kubernetes/kubernetes/pull/121120 + // * https://github.com/kubernetes/kubernetes/issues/121197 + // * https://github.com/golang/go/issues/63417#issuecomment-1758858612 + EnableHTTP2 bool } // Operation is the verb being operated on @@ -245,12 +256,19 @@ func (wh *Webhook) Run(stop <-chan struct{}) error { QuietPeriod: wh.Options.GracePeriod, } + // If TLSNextProto is not nil, HTTP/2 support is not enabled automatically. + nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){} + if wh.Options.EnableHTTP2 { + nextProto = nil + } + server := &http.Server{ ErrorLog: log.New(&zapWrapper{logger}, "", 0), Handler: drainer, Addr: fmt.Sprint(":", wh.Options.Port), TLSConfig: wh.tlsConfig, ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 + TLSNextProto: nextProto, } var serve = server.ListenAndServe diff --git a/vendor/modules.txt b/vendor/modules.txt index a9c81db94f..4940dee780 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -970,7 +970,7 @@ knative.dev/networking/test/test_images/runtime/handlers knative.dev/networking/test/test_images/timeout knative.dev/networking/test/test_images/wsserver knative.dev/networking/test/types -# knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 +# knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c ## explicit; go 1.18 knative.dev/pkg/apis knative.dev/pkg/apis/duck