Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-12698: ose-olm-catalogd-container: incomplete fix for rapid reset (CVE-2023-39325/CVE-2023-44487) [openshift-4.19] #102

Closed
wants to merge 2 commits into from
Closed

CVE-2024-12698: ose-olm-catalogd-container: incomplete fix for rapid reset (CVE-2023-39325/CVE-2023-44487) [openshift-4.19] #102

wants to merge 2 commits into from

Conversation

camilamacedo86
Copy link
Contributor

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 6, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: camilamacedo86
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tmshort
Copy link
Contributor

tmshort commented Jan 7, 2025

This should really be done upstream, and then properly downstreamed, since you are making changes to non-openshift code.
However, as long as it's been fixed in upstream catalogd, you should be able to make this a DROP commit, by changing the commit headlines to be prefixed with:

UPSTREAM: <drop>:

@tmshort
Copy link
Contributor

tmshort commented Jan 8, 2025

This commit may not be necessary once the latest downstreaming happens... so let's wait until #104 merges
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 8, 2025
@camilamacedo86
UPSTREAM: 484: Disable HTTP/2 by Default for Webhooks to Mitigate CVE…
d4d1f96 
… Risks (#484)

Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with:
  - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3)
  - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8)

While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: kubernetes/kubernetes#121197

Signed-off-by: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com>
@camilamacedo86
UPSTREAM: 492: :nit: remove log saying that http is disabled (#492)
475ea9c 
Signed-off-by: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com>
@camilamacedo86 camilamacedo86 changed the title [CVE-2024-12698]: ose-olm-catalogd-container: incomplete fix for rapid reset (CVE-2023-39325/CVE-2023-44487) [openshift-4.19] CVE-2024-12698: ose-olm-catalogd-container: incomplete fix for rapid reset (CVE-2023-39325/CVE-2023-44487) [openshift-4.19] Jan 9, 2025
@openshift-ci-robot
Copy link

@camilamacedo86: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

In response to this:

Cheery pick from https://github.com/operator-framework/catalogd

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 9, 2025

@camilamacedo86: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@camilamacedo86
Copy link
Contributor Author

It is synced in this branch now, see: https://github.com/openshift/operator-framework-catalogd/blob/release-4.19/cmd/manager/main.go#L172-L189

We do not need this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grokspawn grokspawn Awaiting requested review from grokspawn

@LalatenduMohanty LalatenduMohanty Awaiting requested review from LalatenduMohanty

Assignees
No one assigned
Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@camilamacedo86 @tmshort @openshift-ci-robot