diff --git a/go.mod b/go.mod index d983c825b..e62f10175 100644 --- a/go.mod +++ b/go.mod @@ -14,10 +14,10 @@ require ( k8s.io/api v0.25.4 k8s.io/apimachinery v0.25.4 k8s.io/client-go v0.25.4 - knative.dev/eventing v0.37.3 + knative.dev/eventing v0.37.4 knative.dev/hack v0.0.0-20230417170854-f591fea109b3 - knative.dev/pkg v0.0.0-20231011201526-df28feae6d34 - knative.dev/serving v0.37.3 + knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f + knative.dev/serving v0.37.4 ) require ( @@ -105,7 +105,7 @@ require ( k8s.io/klog/v2 v2.80.2-0.20221028030830-9ae4992afb54 // indirect k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 // indirect - knative.dev/networking v0.0.0-20230419144338-e5d04e805e50 // indirect + knative.dev/networking v0.0.0-20231012063223-0b0f2107abef // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index 8f73ea3ca..03c570936 100644 --- a/go.sum +++ b/go.sum @@ -979,16 +979,16 @@ k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+O k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8= k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.37.3 h1:TFJS/bcWJbcY4YvGg+LNEm0qdmeaMAHdUGHKuOmnX9E= -knative.dev/eventing v0.37.3/go.mod h1:DFZEmPkisDkr3jbTQd6mK+Dno3k9yacSgbkJGIDWg3c= +knative.dev/eventing v0.37.4 h1:JPgz4VvYY0/YO9O+5Y4FNUhuZKNxE1Soo8zKs7JdTBU= +knative.dev/eventing v0.37.4/go.mod h1:oGwuBilJ14D1AJyRnsVR3iujY8aw2mhhPSDFCfUaTis= knative.dev/hack v0.0.0-20230417170854-f591fea109b3 h1:+W4WBOq83tfGXKhtv8OB/uJeYqze3zh69GKiz1ucuqk= knative.dev/hack v0.0.0-20230417170854-f591fea109b3/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/networking v0.0.0-20230419144338-e5d04e805e50 h1:X9rPBYr7Vrm075q0iXTr7/0oklkYoyqvlnrUwNzcUhI= -knative.dev/networking v0.0.0-20230419144338-e5d04e805e50/go.mod h1:o2MyGpGfU5DoSAWCE2f/jnSC9GjGOplCslbA99yDkGo= -knative.dev/pkg v0.0.0-20231011201526-df28feae6d34 h1:H+K37bEBZ2STSWMjCgrdilj38KKZGVxBbob22K99Y50= -knative.dev/pkg v0.0.0-20231011201526-df28feae6d34/go.mod h1:ZRgzFBFmdBsARm6+Pkr9WRG8bXys8rYq64ELfLG6+9w= -knative.dev/serving v0.37.3 h1:ebJCVLb3ZHnrJHNKDw/v5eO2Yz6F3l6lpRgAuNo4KE8= -knative.dev/serving v0.37.3/go.mod h1:v0Xbfp7olb0Gljm5l4qNuLsIf8/2p1rIt/mphxvx1z0= +knative.dev/networking v0.0.0-20231012063223-0b0f2107abef h1:FSEKaGc2ztb65VPn4EiTsjAFsmmHlYHUq+j+CCPlDtU= +knative.dev/networking v0.0.0-20231012063223-0b0f2107abef/go.mod h1:rMVkShVT/14rtscYC4ZfC0hXghOXqj3EheFUDKYEqns= +knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f h1:XCH1qZqW1riR8cjhMGjewxQXlWPrfgxeUorBjpC6lE4= +knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f/go.mod h1:ZRgzFBFmdBsARm6+Pkr9WRG8bXys8rYq64ELfLG6+9w= +knative.dev/serving v0.37.4 h1:EEd5hAT9GKDQXK/smngt8p4P0P8WW50WJyF09A5QT9M= +knative.dev/serving v0.37.4/go.mod h1:zrzvt9L6RjUFcwcY4o3uSqFIEjWHc2hAPvpBenmUt6w= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index 779d388d2..dd6bc36e1 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -67,6 +67,17 @@ type Options struct { // GracePeriod is how long to wait after failing readiness probes // before shutting down. GracePeriod time.Duration + + // EnableHTTP2 enables HTTP2 for webhooks. + // Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go + // standard library and golang.org/x/net are fully fixed. + // Right now, it is possible for authenticated and unauthenticated users to + // hold open HTTP2 connections and consume huge amounts of memory. + // See: + // * https://github.com/kubernetes/kubernetes/pull/121120 + // * https://github.com/kubernetes/kubernetes/issues/121197 + // * https://github.com/golang/go/issues/63417#issuecomment-1758858612 + EnableHTTP2 bool } // Operation is the verb being operated on @@ -219,11 +230,18 @@ func (wh *Webhook) Run(stop <-chan struct{}) error { QuietPeriod: wh.Options.GracePeriod, } + // If TLSNextProto is not nil, HTTP/2 support is not enabled automatically. + nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){} + if wh.Options.EnableHTTP2 { + nextProto = nil + } + server := &http.Server{ Handler: drainer, Addr: fmt.Sprint(":", wh.Options.Port), TLSConfig: wh.tlsConfig, ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 + TLSNextProto: nextProto, } eg, ctx := errgroup.WithContext(ctx) diff --git a/vendor/modules.txt b/vendor/modules.txt index 2d3a6e043..24a51417d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -951,7 +951,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.37.3 +# knative.dev/eventing v0.37.4 ## explicit; go 1.19 knative.dev/eventing/pkg/adapter/v2 knative.dev/eventing/pkg/adapter/v2/test @@ -998,12 +998,12 @@ knative.dev/eventing/pkg/observability/client # knative.dev/hack v0.0.0-20230417170854-f591fea109b3 ## explicit; go 1.18 knative.dev/hack -# knative.dev/networking v0.0.0-20230419144338-e5d04e805e50 +# knative.dev/networking v0.0.0-20231012063223-0b0f2107abef ## explicit; go 1.18 knative.dev/networking/pkg/apis/networking knative.dev/networking/pkg/apis/networking/v1alpha1 knative.dev/networking/pkg/config -# knative.dev/pkg v0.0.0-20231011201526-df28feae6d34 +# knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f ## explicit; go 1.18 knative.dev/pkg/apis knative.dev/pkg/apis/duck @@ -1067,7 +1067,7 @@ knative.dev/pkg/webhook/psbinding knative.dev/pkg/webhook/resourcesemantics knative.dev/pkg/webhook/resourcesemantics/defaulting knative.dev/pkg/webhook/resourcesemantics/validation -# knative.dev/serving v0.37.3 +# knative.dev/serving v0.37.4 ## explicit; go 1.18 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1