From 0b891212c55d3bd4a1f304be97673a6dbc3f7809 Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Tue, 24 Oct 2023 02:19:36 -0400 Subject: [PATCH] upgrade to latest dependencies (#430) bumping knative.dev/serving 6b844de...2659cc3: > 2659cc3 upgrade to latest dependencies (# 14555) > 2a46d0d upgrade to latest dependencies (# 14546) > 268701d Update net-kourier nightly (# 14549) > cfd806f Update net-certmanager nightly (# 14550) bumping knative.dev/networking c086340...2a7676e: > 2a7676e upgrade to latest dependencies (# 883) > b6cd712 upgrade to latest dependencies (# 882) > 64434a8 upgrade to latest dependencies (# 881) > fa72cb5 Update community files (# 880) bumping knative.dev/eventing 16a3986...b5fd264: > b5fd264 Shell executor logs through testing.T in upgrade tests (# 7367) > 5848584 [main] Upgrade to latest dependencies (# 7388) bumping knative.dev/pkg d6ab729...29775d7: > 29775d7 [release-1.12] [CVE-2023-44487] Disable http2 for webhooks (# 2876) Signed-off-by: Knative Automation --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- vendor/knative.dev/pkg/webhook/webhook.go | 18 ++++++++++++++++++ vendor/modules.txt | 8 ++++---- 4 files changed, 34 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index 8118014e3..d6887560e 100644 --- a/go.mod +++ b/go.mod @@ -14,10 +14,10 @@ require ( k8s.io/api v0.27.6 k8s.io/apimachinery v0.27.6 k8s.io/client-go v0.27.6 - knative.dev/eventing v0.38.1-0.20231020133954-16a398695622 + knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0 knative.dev/hack v0.0.0-20231016131700-2c938d4918da - knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 - knative.dev/serving v0.38.1-0.20231020173818-6b844deb81fc + knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c + knative.dev/serving v0.38.1-0.20231023192719-2659cc3aed8e ) require ( @@ -103,7 +103,7 @@ require ( k8s.io/klog/v2 v2.90.1 // indirect k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect - knative.dev/networking v0.0.0-20231012062439-c0863403c83b // indirect + knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index c776a4544..3938403d1 100644 --- a/go.sum +++ b/go.sum @@ -717,16 +717,16 @@ k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5F k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.38.1-0.20231020133954-16a398695622 h1:0zVa3WIigc9Le/K1MVPNLjFo3lOs4ADj30EbNrRO820= -knative.dev/eventing v0.38.1-0.20231020133954-16a398695622/go.mod h1:swWS48qpCQbBkj+2iS0rVa7PbQBWLD9YAy3CSHfevaU= +knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0 h1:dRCHnSKwsnqAeQ0TbUdgk12Q5GU/P2P+v/lQ0tyfSfg= +knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0/go.mod h1:a9uzuTLH4ur+Q1wLCqbxIQNcYxeJPRPYBgs3e8lo13Y= knative.dev/hack v0.0.0-20231016131700-2c938d4918da h1:xy+fvuz2LDOMsZ5UwXRaMF70NYUs9fsG+EF5/ierYBg= knative.dev/hack v0.0.0-20231016131700-2c938d4918da/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/networking v0.0.0-20231012062439-c0863403c83b h1:yGtVPNHek3rmKb50k7G9fG/NuuC4FRzESVrWmPFU9AM= -knative.dev/networking v0.0.0-20231012062439-c0863403c83b/go.mod h1:uEvP4spV82HGB8loxo8nH/LGmwsd9jUGWvDVC+tH4O4= -knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 h1:9AvFZdEtuwKWDcTV1VSwmrgrRR9f38wbIAm+sNwLivQ= -knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ= -knative.dev/serving v0.38.1-0.20231020173818-6b844deb81fc h1:lNU0wJatgHEbMBde9VOiWOGENUMZSun30CN4glH7YRc= -knative.dev/serving v0.38.1-0.20231020173818-6b844deb81fc/go.mod h1:cuia3pUQNF4sa3g3KsPFgqpLnF1pf9iquDLgk71iLfo= +knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 h1:6+1icZuxiZO1paFZ4d/ysKWVG2M4WB7OxNJNyLG0P/E= +knative.dev/networking v0.0.0-20231017124814-2a7676e912b7/go.mod h1:1gcHoIVG47ekQWjkddqRq+/7tWRh+CB9W4k/NAcdRbk= +knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c h1:xyPoEToTWeBdn6tinhLxXfnhJhTNQt5WzHiTNiFphRw= +knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ= +knative.dev/serving v0.38.1-0.20231023192719-2659cc3aed8e h1:KLFfwnphfqhrbLYbVep/hUPS829FP+QfQ0jR3nzHZ0w= +knative.dev/serving v0.38.1-0.20231023192719-2659cc3aed8e/go.mod h1:0QIp5mvgWa1oUC2MxMf+Q/JWgG8JhAsSdJKc6iTRlvE= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index 7be0336ac..eff693e80 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -81,6 +81,17 @@ type Options struct { // ControllerOptions encapsulates options for creating a new controller, // including throttling and stats behavior. ControllerOptions *controller.ControllerOptions + + // EnableHTTP2 enables HTTP2 for webhooks. + // Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go + // standard library and golang.org/x/net are fully fixed. + // Right now, it is possible for authenticated and unauthenticated users to + // hold open HTTP2 connections and consume huge amounts of memory. + // See: + // * https://github.com/kubernetes/kubernetes/pull/121120 + // * https://github.com/kubernetes/kubernetes/issues/121197 + // * https://github.com/golang/go/issues/63417#issuecomment-1758858612 + EnableHTTP2 bool } // Operation is the verb being operated on @@ -245,12 +256,19 @@ func (wh *Webhook) Run(stop <-chan struct{}) error { QuietPeriod: wh.Options.GracePeriod, } + // If TLSNextProto is not nil, HTTP/2 support is not enabled automatically. + nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){} + if wh.Options.EnableHTTP2 { + nextProto = nil + } + server := &http.Server{ ErrorLog: log.New(&zapWrapper{logger}, "", 0), Handler: drainer, Addr: fmt.Sprint(":", wh.Options.Port), TLSConfig: wh.tlsConfig, ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 + TLSNextProto: nextProto, } var serve = server.ListenAndServe diff --git a/vendor/modules.txt b/vendor/modules.txt index b2f2dcaeb..1c888eb1c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -967,7 +967,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.38.1-0.20231020133954-16a398695622 +# knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0 ## explicit; go 1.19 knative.dev/eventing/pkg/adapter/v2 knative.dev/eventing/pkg/adapter/v2/test @@ -1017,12 +1017,12 @@ knative.dev/eventing/pkg/observability/client # knative.dev/hack v0.0.0-20231016131700-2c938d4918da ## explicit; go 1.18 knative.dev/hack -# knative.dev/networking v0.0.0-20231012062439-c0863403c83b +# knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 ## explicit; go 1.18 knative.dev/networking/pkg/apis/networking knative.dev/networking/pkg/apis/networking/v1alpha1 knative.dev/networking/pkg/config -# knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 +# knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c ## explicit; go 1.18 knative.dev/pkg/apis knative.dev/pkg/apis/duck @@ -1086,7 +1086,7 @@ knative.dev/pkg/webhook/psbinding knative.dev/pkg/webhook/resourcesemantics knative.dev/pkg/webhook/resourcesemantics/defaulting knative.dev/pkg/webhook/resourcesemantics/validation -# knative.dev/serving v0.38.1-0.20231020173818-6b844deb81fc +# knative.dev/serving v0.38.1-0.20231023192719-2659cc3aed8e ## explicit; go 1.18 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1