From d206a5fa105257be0b806ff6c804e57d2bd40333 Mon Sep 17 00:00:00 2001 From: Tom McCollough <35183135+chainsaw2k@users.noreply.github.com> Date: Wed, 17 Jul 2024 14:00:07 -0600 Subject: [PATCH 1/2] Update ghsa-m425-mq94-257g.md --- .../security-bulletins/reports/ghsa-m425-mq94-257g.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md index b842baff81..4c98301db4 100644 --- a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md +++ b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md @@ -14,4 +14,4 @@ We provide the most up-to-date information below. | CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ------------------------------------------------------------------------ | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | ------- | -| [GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) | 10/25/23 | The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. | CCVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | Ongoing | +| [GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) | 10/25/23 | The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. | CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | Ongoing | From 99113324d5a5fbbfa89a3877f6cfeafdee6ea6eb Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Wed, 17 Jul 2024 13:04:47 -0700 Subject: [PATCH 2/2] chore: typo fix --- .../security-bulletins/reports/ghsa-m425-mq94-257g.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md index 4c98301db4..42147f6031 100644 --- a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md +++ b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md @@ -12,6 +12,6 @@ tags: ["security", "cve"] We provide the most up-to-date information below. -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ------------------------------------------------------------------------ | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | ------- | +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ------------------------------------------------------------------------ | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------- | ------- | | [GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) | 10/25/23 | The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. | CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | Ongoing |