WIP - CVE-2023-44487: Mitigate HTTP/2 Rapid Reset #160
Conversation
Update base golang version and grpc dependency to mitigate CVE-2023-44487 (HTTP/2 Rapid Reset) denial of service attack. grpc is an indirect dependency used in our Kubernetes client libraries. Overall risk for the operator is low, since the operator's typical deployment does not expose an HTTP server that is reachable over the internet (it does deploy a Prometheus metrics server, but that should not be exposed to the general internet).
openshift-ci
bot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
pull-request-size
bot
added
the
size/M
|
/close No substantial differences between this an #157. Will create a separate PR for updating golang to 1.20. |
|
@adambkaplan: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Update base golang version and grpc dependency to mitigate CVE-2023-44487 (HTTP/2 Rapid Reset) denial of service attack. grpc is an indirect dependency used in our Kubernetes client libraries. Overall risk for the operator is low, since the operator's typical deployment does not expose an HTTP server that is reachable over the internet (it does deploy a Prometheus metrics server, but that should not be exposed to the general internet).
Changes
Submitter Checklist
See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.
Release Notes