From 0f051b069a347b743beb49fc01e98969f0224bdf Mon Sep 17 00:00:00 2001 From: David Hadas Date: Tue, 5 Dec 2023 19:15:55 +0200 Subject: [PATCH] Typos and wrong link --- blog/docs/events/security-audit-2023.md | 2 +- blog/docs/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/blog/docs/events/security-audit-2023.md b/blog/docs/events/security-audit-2023.md index 11b7d1b922..8033292254 100644 --- a/blog/docs/events/security-audit-2023.md +++ b/blog/docs/events/security-audit-2023.md @@ -14,7 +14,7 @@ Knative Extensions are optional plugins and extensions for different Knative use Ada Logics found 16 security issues of which all except for one have been fixed with upstream patches. Three of the found issues are in third-party dependencies to Knative. One of the issues found is scored with high severity due to its potential impact (ADA-KNATIVE-23-7). However, an attacker would need to compromise the Knative user’s supply-chain, which is highly unlikely to occur in a real-world scenario because few Knative users consume Knative in a way that would enable the attack. In addition, the attacker would need to time their attack to a high degree. The issue has been fixed. -One CVE was assigned during the audit for a vulnerability that could allow an attacker with already escalated privileges to cause further damage in the cluster. The attacker needs to first establish a position in a Knative pod, and from there, they could exploit the vulnerability and cause denial of service of the Knative autoscaling, thereby denying any autoscaling of Knative. The issue was assigned CVE-2023-48713 of Moderate severity and has been fixed in v1.10.5, v1.12.0 and v1.11.3. +One CVE was assigned during the audit for a vulnerability that could allow an attacker with already escalated privileges to cause further damage in the cluster. The attacker needs to first establish a position in a Knative pod, and from there, they could exploit the vulnerability and cause denial of service of the Knative autoscaling, thereby denying any autoscaling of Knative. The issue was assigned CVE-2023-48713 of Moderate severity and has been fixed in v1.12.0, v1.11.3 and v1.10.5. Prior to the audit, Knative had invested in building its own [provenance generator](https://github.com/knative/toolbox/tree/main/provenance-generator) which generates slsa-compliant provenance and adds it to releases. Users can verify the provenance using [the official SLSA guidelines](https://slsa.dev/spec/v1.0/verifying-artifacts) before consuming. The Knative maintainers found that Knative Serving was missing a few lines of Prow configuration which resulted in Knative Serving releases not having provenance. This was fixed [here](https://github.com/knative/infra/pull/288) which ensures that future releases of Knative Serving will include verifiable provenance. diff --git a/blog/docs/index.md b/blog/docs/index.md index 31b5992cb6..b97865d80e 100644 --- a/blog/docs/index.md +++ b/blog/docs/index.md @@ -23,7 +23,7 @@ Follow this blog to keep up-to-date with Knative. ## Featured Posts ### Knative Completes Third-Party Security Audit -A third-party audit by Ada Logics found a small number of issues, including [one CVE](https://github.com/knative/docs/pull/5788). +A third-party audit by Ada Logics found a small number of issues, including [one CVE](https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547). [Read more :octicons-arrow-right-24:](events/security-audit-2023.md){ .md-button }