Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable HTTP/2 protocol in devfile/registry-support to mitigate CVE-2023-44487 (Rapid Reset) #1342

Closed
2 tasks
Tracked by #1303
rm3l opened this issue Nov 9, 2023 · 2 comments · Fixed by devfile/registry-support#191
Closed
2 tasks
Tracked by #1303

Disable HTTP/2 protocol in devfile/registry-support to mitigate CVE-2023-44487 (Rapid Reset) #1342

rm3l opened this issue Nov 9, 2023 · 2 comments · Fixed by devfile/registry-support#191
Assignees
@thepetk
Labels
area/registry Devfile registry for stacks and infrastructure kind/task

Comments

@rm3l
Copy link
Member

rm3l commented Nov 9, 2023
edited
Loading

/kind task
/area registry

This is a follow-up issue to #1315.

As commented out in #1315 (comment)_, it is strongly recommended, as one of the possible mitigation measures, to disable HTTP/2 endpoints if not needed: https://access.redhat.com/security/cve/CVE-2023-44487

And from this analysis, there seems to be currently only one repo where we need to do so:

  • devfile/registry-support: in the index/server folder, where an HTTP Server is started

The steps for disabling the HTTP/2 protocol in net/http are documented in https://pkg.go.dev/net/http#hdr-HTTP_2

Acceptance Criteria

  • Disable HTTP/2 protocol in servers started in the devfile/registry-support repo
  • Make sure it doesn't break the way existing clients interact with registries
@openshift-ci openshift-ci bot added kind/task area/registry Devfile registry for stacks and infrastructure labels Nov 9, 2023
This was referenced Nov 9, 2023
Closed
Closed
@thepetk thepetk self-assigned this Nov 13, 2023
@thepetk thepetk mentioned this issue Nov 22, 2023
Merged
3 tasks
@thepetk
Copy link
Contributor

thepetk commented Nov 22, 2023

I've created a PR which follows the instructions mentioned in the pkg.go.dev

@thepetk
Copy link
Contributor

thepetk commented Nov 27, 2023

Updating the story points needed for the issue from 3 to 5, as the review process required more time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thepetk thepetk

Labels
area/registry Devfile registry for stacks and infrastructure kind/task
Projects
Devfile Project
Status: Done ✅
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disable http2 for indexServer thepetk/devfile-registry-support
2 participants
@rm3l @thepetk