From e86912bd9ab66d7f7a906010fb08f629453996b0 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Tue, 24 Oct 2023 18:57:31 +0900 Subject: [PATCH] upgrade to latest dependencies (#14552) (#494) bumping knative.dev/pkg bd99f2f...56bfe0d: > 56bfe0d [release-1.11] [CVE-2023-44487] Disable http2 for webhooks (# 2875) bumping knative.dev/caching 24ff723...ee89f75: > ee89f75 upgrade to latest dependencies (# 797) Signed-off-by: Knative Automation Co-authored-by: Knative Automation --- go.mod | 4 ++-- go.sum | 8 ++++---- vendor/knative.dev/pkg/webhook/webhook.go | 18 ++++++++++++++++++ vendor/modules.txt | 4 ++-- 4 files changed, 26 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 8b4adc69209f..87d4b8f1cfbe 100644 --- a/go.mod +++ b/go.mod @@ -36,10 +36,10 @@ require ( k8s.io/code-generator v0.26.5 k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 - knative.dev/caching v0.0.0-20230718155311-24ff72399d90 + knative.dev/caching v0.0.0-20231012200751-ee89f751874f knative.dev/hack v0.0.0-20230712131415-ddae80293c43 knative.dev/networking v0.0.0-20231012062757-a5958051caf8 - knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7 + knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626 sigs.k8s.io/yaml v1.3.0 ) diff --git a/go.sum b/go.sum index 6fe6f6b62231..947200886701 100644 --- a/go.sum +++ b/go.sum @@ -1007,14 +1007,14 @@ k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+O k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8= k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/caching v0.0.0-20230718155311-24ff72399d90 h1:FTywJXyLNTMA4XbWIXHh+4aHrLIIkSlGAl9yNTJhipY= -knative.dev/caching v0.0.0-20230718155311-24ff72399d90/go.mod h1:4IprjglzaLM1+/S+7OcMhxL3h15Uh0glFiV4NcJftD8= +knative.dev/caching v0.0.0-20231012200751-ee89f751874f h1:Uzb2EYN7hTTBGO/dis/gRv+Xsp8WKoepiHMyCxQCJD4= +knative.dev/caching v0.0.0-20231012200751-ee89f751874f/go.mod h1:wUsSFu6nUj7/j5GwpLB3wQfjTQODNl9Exb7wmtoGOYY= knative.dev/hack v0.0.0-20230712131415-ddae80293c43 h1:3SE06uNfSFGm/5XS+0trbyCUpgsOaBeyhPQU8FPNFz8= knative.dev/hack v0.0.0-20230712131415-ddae80293c43/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/networking v0.0.0-20231012062757-a5958051caf8 h1:oZMbAAXyiDZUYoQ4qEjL6uxXrL1xBVfEyQJx8sP0XEg= knative.dev/networking v0.0.0-20231012062757-a5958051caf8/go.mod h1:XwZwqJoLZR92N6F/sj8lHxttnry/Kiz+OgG8+uVuYn0= -knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7 h1:y3qbfYX1SuSr/1ysXvKfpV8q/kCwWLWieCUgAhBUHmQ= -knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7/go.mod h1:g+UCgSKQ2f15kHYu/V3CPtoKo5F1x/2Y1ot0NSK7gA0= +knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626 h1:qFE+UDBRg6cpF5LbA0sv1XK4XZ36Z7aTRCa+HcuxnNQ= +knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626/go.mod h1:g+UCgSKQ2f15kHYu/V3CPtoKo5F1x/2Y1ot0NSK7gA0= pgregory.net/rapid v0.3.3 h1:jCjBsY4ln4Atz78QoBWxUEvAHaFyNDQg9+WU62aCn1U= pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index 92dd01ae35e2..26f20a71b6b5 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -74,6 +74,17 @@ type Options struct { // ControllerOptions encapsulates options for creating a new controller, // including throttling and stats behavior. ControllerOptions *controller.ControllerOptions + + // EnableHTTP2 enables HTTP2 for webhooks. + // Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go + // standard library and golang.org/x/net are fully fixed. + // Right now, it is possible for authenticated and unauthenticated users to + // hold open HTTP2 connections and consume huge amounts of memory. + // See: + // * https://github.com/kubernetes/kubernetes/pull/121120 + // * https://github.com/kubernetes/kubernetes/issues/121197 + // * https://github.com/golang/go/issues/63417#issuecomment-1758858612 + EnableHTTP2 bool } // Operation is the verb being operated on @@ -237,12 +248,19 @@ func (wh *Webhook) Run(stop <-chan struct{}) error { QuietPeriod: wh.Options.GracePeriod, } + // If TLSNextProto is not nil, HTTP/2 support is not enabled automatically. + nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){} + if wh.Options.EnableHTTP2 { + nextProto = nil + } + server := &http.Server{ ErrorLog: log.New(&zapWrapper{logger}, "", 0), Handler: drainer, Addr: fmt.Sprint(":", wh.Options.Port), TLSConfig: wh.tlsConfig, ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 + TLSNextProto: nextProto, } var serve = server.ListenAndServe diff --git a/vendor/modules.txt b/vendor/modules.txt index 4e24e33faf9a..f269156ec488 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1281,7 +1281,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/caching v0.0.0-20230718155311-24ff72399d90 +# knative.dev/caching v0.0.0-20231012200751-ee89f751874f ## explicit; go 1.18 knative.dev/caching/config knative.dev/caching/pkg/apis/caching @@ -1345,7 +1345,7 @@ knative.dev/networking/pkg/http/stats knative.dev/networking/pkg/ingress knative.dev/networking/pkg/k8s knative.dev/networking/pkg/prober -# knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7 +# knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626 ## explicit; go 1.18 knative.dev/pkg/apiextensions/storageversion knative.dev/pkg/apiextensions/storageversion/cmd/migrate