cindymullins-dw
commented
2 months ago Ambassador will push a PR to address this soon (Moderate security level) but we are not planning any releases at this time. The Emissary release schedule now depends on the Maintainers and is currently TBD (since our decoupling of Emissary releases from the licensed version Edge Stack late last year). It is possible to build Emissary from source to capture PRs that have been merged but not yet released. Feel free to direct questions to me (Cindy Mullins) at a8r.io/slack.
Describe the bug Envoy Proxy has published a security advisory regarding
CVE-2024-30255HTTP/2: CPU exhaustion due to CONTINUATION frame flood. Is Emissary-ingress affected by CVE-2024-30255? If so, should it be upgraded to the fixed Envoy release 1.28.2?Thanks!