Skip to content

Fix for Http2 reset vulnerability CVE-2023-39325 #642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2023
Merged

Fix for Http2 reset vulnerability CVE-2023-39325 #642

merged 1 commit into from
Oct 17, 2023

Conversation

frzifus
Copy link
Collaborator

@frzifus frzifus commented Oct 13, 2023

We can keep our current go version since there is a backport: golang/go#63426

@frzifus frzifus requested a review from pavolloffay October 13, 2023 13:58
@frzifus frzifus force-pushed the fix/http2_reset_vuln branch 2 times, most recently from dd91dc6 to 6852e80 Compare October 13, 2023 14:00
@pavolloffay
Copy link
Collaborator

We should bump the operand versions that have the fix

@pavolloffay
Copy link
Collaborator

pavolloffay commented Oct 13, 2023
edited
Loading

We can keep our current go version since there is a backport: golang/go#63426

The docker image is using FROM golang:1.21. The link references golang 1.20

@frzifus
Copy link
Collaborator Author

frzifus commented Oct 13, 2023
edited
Loading

We can keep our current go version since there is a backport: golang/go#63426

The docker image is using FROM golang:1.21. The link references golang 1.20

There is a lot of 1.20 in use:

.github/workflows/changelog.yaml:          go-version: "1.20"
.github/workflows/continuous-integration.yaml:          go-version: "1.20"
.github/workflows/continuous-integration.yaml:          go-version: "1.20"
.github/workflows/e2e.yaml:        go-version: "1.20"
.github/workflows/e2e.yaml:        go-version: "1.20"
.github/workflows/release.yaml:        go-version: "1.20"
.github/workflows/scorecard.yaml:          go-version: "1.20"

Anyway there is a fix for 1.21 too. golang/go#63427

@frzifus frzifus force-pushed the fix/http2_reset_vuln branch from 6852e80 to e45248e Compare October 13, 2023 15:02
@frzifus frzifus marked this pull request as draft October 13, 2023 15:03
@frzifus frzifus force-pushed the fix/http2_reset_vuln branch from e45248e to 547b8de Compare October 13, 2023 15:06
@frzifus frzifus marked this pull request as ready for review October 13, 2023 15:07
@frzifus frzifus force-pushed the fix/http2_reset_vuln branch 3 times, most recently from 1e1ed07 to b46cc40 Compare October 13, 2023 15:13
@frzifus
Copy link
Collaborator Author

frzifus commented Oct 13, 2023

I assume we have to wait a bit
image

@frzifus frzifus force-pushed the fix/http2_reset_vuln branch from b46cc40 to 4cd0992 Compare October 17, 2023 14:07
@frzifus frzifus requested a review from pavolloffay October 17, 2023 14:07
@frzifus frzifus enabled auto-merge (squash) October 17, 2023 14:08
@frzifus frzifus merged commit a302113 into grafana:main Oct 17, 2023
@pavolloffay
Copy link
Collaborator

@frzifus any reason why tempo with the fix was not bumped?

@frzifus frzifus deleted the fix/http2_reset_vuln branch October 17, 2023 14:39
@frzifus
Copy link
Collaborator Author

frzifus commented Oct 17, 2023

It was done here: #645

@rubenvp8510
Copy link
Collaborator

Does it has the CVE fix?

@pavolloffay
Copy link
Collaborator

It was done here: #645

https://github.com/grafana/tempo/commits/release-v2.2/ 2.2.3 does not have the fix

@frzifus
Copy link
Collaborator Author

frzifus commented Oct 17, 2023

uff - let me bump it

@frzifus frzifus mentioned this pull request Oct 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rubenvp8510 rubenvp8510 rubenvp8510 approved these changes

@pavolloffay pavolloffay Awaiting requested review from pavolloffay

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@frzifus @pavolloffay @rubenvp8510