Disable HTTP/2 protocol in devfile/registry-support
to mitigate CVE-2023-44487
(Rapid Reset)
#1342
Labels
devfile/registry-support
to mitigate CVE-2023-44487
(Rapid Reset)
#1342
/kind task
/area registry
This is a follow-up issue to #1315.
As commented out in #1315 (comment)_, it is strongly recommended, as one of the possible mitigation measures, to disable HTTP/2 endpoints if not needed: https://access.redhat.com/security/cve/CVE-2023-44487
And from this analysis, there seems to be currently only one repo where we need to do so:
index/server
folder, where an HTTP Server is startedThe steps for disabling the HTTP/2 protocol in
net/http
are documented in https://pkg.go.dev/net/http#hdr-HTTP_2Acceptance Criteria
devfile/registry-support
repoThe text was updated successfully, but these errors were encountered: