diff --git a/go.mod b/go.mod index de81c0d92..de5f12be5 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( knative.dev/control-protocol v0.0.0-20230420145039-d9cda76c5b03 knative.dev/hack v0.0.0-20230417170854-f591fea109b3 knative.dev/networking v0.0.0-20231012063223-0b0f2107abef - knative.dev/pkg v0.0.0-20231011201526-df28feae6d34 + knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f sigs.k8s.io/yaml v1.3.0 ) diff --git a/go.sum b/go.sum index 3a1408b76..074e3a6f0 100644 --- a/go.sum +++ b/go.sum @@ -762,8 +762,8 @@ knative.dev/hack v0.0.0-20230417170854-f591fea109b3 h1:+W4WBOq83tfGXKhtv8OB/uJeY knative.dev/hack v0.0.0-20230417170854-f591fea109b3/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/networking v0.0.0-20231012063223-0b0f2107abef h1:FSEKaGc2ztb65VPn4EiTsjAFsmmHlYHUq+j+CCPlDtU= knative.dev/networking v0.0.0-20231012063223-0b0f2107abef/go.mod h1:rMVkShVT/14rtscYC4ZfC0hXghOXqj3EheFUDKYEqns= -knative.dev/pkg v0.0.0-20231011201526-df28feae6d34 h1:H+K37bEBZ2STSWMjCgrdilj38KKZGVxBbob22K99Y50= -knative.dev/pkg v0.0.0-20231011201526-df28feae6d34/go.mod h1:ZRgzFBFmdBsARm6+Pkr9WRG8bXys8rYq64ELfLG6+9w= +knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f h1:XCH1qZqW1riR8cjhMGjewxQXlWPrfgxeUorBjpC6lE4= +knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f/go.mod h1:ZRgzFBFmdBsARm6+Pkr9WRG8bXys8rYq64ELfLG6+9w= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index 779d388d2..dd6bc36e1 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -67,6 +67,17 @@ type Options struct { // GracePeriod is how long to wait after failing readiness probes // before shutting down. GracePeriod time.Duration + + // EnableHTTP2 enables HTTP2 for webhooks. + // Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go + // standard library and golang.org/x/net are fully fixed. + // Right now, it is possible for authenticated and unauthenticated users to + // hold open HTTP2 connections and consume huge amounts of memory. + // See: + // * https://github.com/kubernetes/kubernetes/pull/121120 + // * https://github.com/kubernetes/kubernetes/issues/121197 + // * https://github.com/golang/go/issues/63417#issuecomment-1758858612 + EnableHTTP2 bool } // Operation is the verb being operated on @@ -219,11 +230,18 @@ func (wh *Webhook) Run(stop <-chan struct{}) error { QuietPeriod: wh.Options.GracePeriod, } + // If TLSNextProto is not nil, HTTP/2 support is not enabled automatically. + nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){} + if wh.Options.EnableHTTP2 { + nextProto = nil + } + server := &http.Server{ Handler: drainer, Addr: fmt.Sprint(":", wh.Options.Port), TLSConfig: wh.tlsConfig, ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 + TLSNextProto: nextProto, } eg, ctx := errgroup.WithContext(ctx) diff --git a/vendor/modules.txt b/vendor/modules.txt index 6fee350d7..d1cbfca0d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -940,7 +940,7 @@ knative.dev/networking/test/test_images/runtime/handlers knative.dev/networking/test/test_images/timeout knative.dev/networking/test/test_images/wsserver knative.dev/networking/test/types -# knative.dev/pkg v0.0.0-20231011201526-df28feae6d34 +# knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f ## explicit; go 1.18 knative.dev/pkg/apis knative.dev/pkg/apis/duck