chore(deps): update dependency rancher/rke2 to v1.30.2+rke2r1

uniget-bot commented 4 days ago

This PR contains the following updates:

Package	Update	Change
rancher/rke2	patch	`1.30.1+rke2r1` -> `1.30.2+rke2r1`

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

rancher/rke2 (rancher/rke2)

### [`v1.30.2+rke2r1`](https://togithub.com/rancher/rke2/releases/tag/v1.30.2%2Brke2r1): v1.30.2+rke2r1 [Compare Source](https://togithub.com/rancher/rke2/compare/v1.30.2-rc7+rke2r1...v1.30.2+rke2r1) This release updates Kubernetes to v1.30.2. **Important Note** If your server (control-plane) nodes were not started with the `--token` CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup. You may retrieve the token value from any server already joined to the cluster: ```bash cat /var/lib/rancher/rke2/server/token ``` #### Changes since v1.30.1+rke2r1: - Improve rke2-uninstall.ps1 script [(#5779)](https://togithub.com/rancher/rke2/pull/5779) - Add cilium no proxy e2e test [(#5885)](https://togithub.com/rancher/rke2/pull/5885) - Apply netpols async with retry [(#5909)](https://togithub.com/rancher/rke2/pull/5909) - Remove cisnetworkpolicy finalizer when controller is disabled [(#5856)](https://togithub.com/rancher/rke2/pull/5856) - Update cloud-provider image which now uses scratch as base [(#5933)](https://togithub.com/rancher/rke2/pull/5933) - Rke2-cloud-provider uses now scratch base image - Update flannel chart to fix vni error [(#5953)](https://togithub.com/rancher/rke2/pull/5953) - Use vni=4096 as default for rke2-flannel - Add a Kine fix when rke2 restart apiserver [(#5931)](https://togithub.com/rancher/rke2/pull/5931) - Fix apiserver delay to restart when apiserver is using kine - Fix incorrect wrangler package import [(#6007)](https://togithub.com/rancher/rke2/pull/6007) - Update channel server for may 2024 [(#5951)](https://togithub.com/rancher/rke2/pull/5951) - Add extra log in e2e tests [(#5955)](https://togithub.com/rancher/rke2/pull/5955) - Bump nginx to v1.10.1 [(#6022)](https://togithub.com/rancher/rke2/pull/6022) - Update rke2-killall.sh [(#4111)](https://togithub.com/rancher/rke2/pull/4111) - Changed systemctl command from 'restart' to 'try-restart' for fapolicyd in rke2-uninstall.sh [(#5811)](https://togithub.com/rancher/rke2/pull/5811) - Allow disabling injection of cluster config into HelmCharts [(#6010)](https://togithub.com/rancher/rke2/pull/6010) - Injection of cluster config variables into HelmChart resources found on disk can now be disabled per-chart by adding a `rke2.cattle.io/inject-cluster-config: "false"` annotation to HelmChart resources, or by setting the RKE2\_INJECT_CLUSTER_CONFIG=false environment variable to disable it for all resources that do not set the annotation to false. - Bump multus and whereabouts version [(#6015)](https://togithub.com/rancher/rke2/pull/6015) - Bump flannel to v0.25.201 and canal to v3.28.0-build2024052800 [(#6043)](https://togithub.com/rancher/rke2/pull/6043) - Add ADR for branching strategy [(#4078)](https://togithub.com/rancher/rke2/pull/4078) - Add easy support for single node sqlite with kine [(#5954)](https://togithub.com/rancher/rke2/pull/5954) - New behavior when --disable-etcd is used without --server, rke2 will use sqlite as the default database - Bump harvester-cloud-provider v0.2.4 [(#5980)](https://togithub.com/rancher/rke2/pull/5980) - Bump K3s version for v1.30 [(#6073)](https://togithub.com/rancher/rke2/pull/6073) - Fix loadManifests function [(#6058)](https://togithub.com/rancher/rke2/pull/6058) - Bump K3s version for v1.30 [(#6104)](https://togithub.com/rancher/rke2/pull/6104) - Bump flannel version [(#6116)](https://togithub.com/rancher/rke2/pull/6116) - Bump flannel cni version to v0.25.3 - Bump containerd to correctly built tag [(#6126)](https://togithub.com/rancher/rke2/pull/6126) - Improve rke2-uninstall.ps1 [(#6098)](https://togithub.com/rancher/rke2/pull/6098) - Update to the latest SR-IOV image versions [(#5889)](https://togithub.com/rancher/rke2/pull/5889) - Bump flannel image in rke2-canal [(#6136)](https://togithub.com/rancher/rke2/pull/6136) - Slim down E2E artifacts [(#6097)](https://togithub.com/rancher/rke2/pull/6097) - Add custom golang setup action for better caching [(#6144)](https://togithub.com/rancher/rke2/pull/6144) - Support MixedOS E2E local testing [(#6137)](https://togithub.com/rancher/rke2/pull/6137) - Use `rancher/permissions` dependency [(#6138)](https://togithub.com/rancher/rke2/pull/6138) - Bump K3s version for v1.30 [(#6164)](https://togithub.com/rancher/rke2/pull/6164) - Update flannel version to v0.25.4 [(#6172)](https://togithub.com/rancher/rke2/pull/6172) - Bump flannel to v0.25.4 to fix windows-vxlan issue - Update Kubernetes to v1.30.2 [(#6191)](https://togithub.com/rancher/rke2/pull/6191) - Fix drone pipeline [(#6199)](https://togithub.com/rancher/rke2/pull/6199) - Update drone build base image [(#6206)](https://togithub.com/rancher/rke2/pull/6206) - Bump K3s version for v1.30 to fix regression in agent's supervisor port [(#6200)](https://togithub.com/rancher/rke2/pull/6200) - Bump rke2-ingress-nginx chart to revert watchIngressWithoutClass default [(#6216)](https://togithub.com/rancher/rke2/pull/6216) - Update hardened kubernetes [(#6225)](https://togithub.com/rancher/rke2/pull/6225) - Bump K3s version for snapshot fix [(#6230)](https://togithub.com/rancher/rke2/pull/6230) - Fix issue that allowed multiple simultaneous snapshots to be allowed - Revert rke2-ingress-nginx bump back to v1.9.6 [(#6238)](https://togithub.com/rancher/rke2/pull/6238) - Reinstate newest rke2-ingress-nginx [(#6253)](https://togithub.com/rancher/rke2/pull/6253) - Pass install_type as a string in the mixedos e2e test [(#6251)](https://togithub.com/rancher/rke2/pull/6251) - Update calico image to v3.28.0-build20240625 [(#6257)](https://togithub.com/rancher/rke2/pull/6257) #### Charts Versions | Component | Version | | --- | --- | | rke2-cilium | [1.15.500](https://togithub.com/rancher/rke2-charts/raw/main/assets/rke2-cilium/rke2-cilium-1.15.500.tgz) | | rke2-canal | [v3.28.0-build2024062503](https://togithub.com/rancher/rke2-charts/raw/main/assets/rke2-canal/rke2-canal-v3.28.0-build2024062503.tgz) | | rke2-calico | [v3.27.300](https://togithub.com/rancher/rke2-charts/raw/main/assets/rke2-calico/rke2-calico-v3.27.300.tgz) | | rke2-calico-crd | [v3.27.002](https://togithub.com/rancher/rke2-charts/raw/main/assets/rke2-calico/rke2-calico-crd-v3.27.002.tgz) | | rke2-coredns | [1.29.002](https://togithub.com/rancher/rke2-charts/raw/main/assets/rke2-coredns/rke2-coredns-1.29.002.tgz) | | rke2-ingress-nginx | [4.10.101](https://togithub.com/rancher/rke2-charts/raw/main/assets/rke2-ingress-nginx/rke2-ingress-nginx-4.10.101.tgz) | | rke2-metrics-server | [3.12.002](https://togithub.com/rancher/rke2-charts/raw/main/assets/rke2-metrics-server/rke2-metrics-server-3.12.002.tgz) | | rancher-vsphere-csi | [3.1.2-rancher400](https://togithub.com/rancher/rke2-charts/raw/main/assets/rancher-vsphere-csi/rancher-vsphere-csi-3.1.2-rancher400.tgz) | | rancher-vsphere-cpi | [1.7.001](https://togithub.com/rancher/rke2-charts/raw/main/assets/rancher-vsphere-cpi/rancher-vsphere-cpi-1.7.001.tgz) | | harvester-cloud-provider | [0.2.400](https://togithub.com/rancher/rke2-charts/raw/main/assets/harvester-cloud-provider/harvester-cloud-provider-0.2.400.tgz) | | harvester-csi-driver | [0.1.1700](https://togithub.com/rancher/rke2-charts/raw/main/assets/harvester-cloud-provider/harvester-csi-driver-0.1.1700.tgz) | | rke2-snapshot-controller | [1.7.202](https://togithub.com/rancher/rke2-charts/raw/main/assets/rke2-snapshot-controller/rke2-snapshot-controller-1.7.202.tgz) | | rke2-snapshot-controller-crd | [1.7.202](https://togithub.com/rancher/rke2-charts/raw/main/assets/rke2-snapshot-controller/rke2-snapshot-controller-crd-1.7.202.tgz) | | rke2-snapshot-validation-webhook | [1.7.302](https://togithub.com/rancher/rke2-charts/raw/main/assets/rke2-snapshot-validation-webhook/rke2-snapshot-validation-webhook-1.7.302.tgz) | #### Packaged Component Versions | Component | Version | | --- | --- | | Kubernetes | [v1.30.2](https://togithub.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302) | | Etcd | [v3.5.13-k3s1](https://togithub.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1) | | Containerd | [v1.7.17-k3s1](https://togithub.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1) | | Runc | [v1.1.12](https://togithub.com/opencontainers/runc/releases/tag/v1.1.12) | | Metrics-server | [v0.7.1](https://togithub.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1) | | CoreDNS | [v1.11.1](https://togithub.com/coredns/coredns/releases/tag/v1.11.1) | | Ingress-Nginx | [v1.10.1-hardened1](https://togithub.com/rancher/ingress-nginx/releases/tag/v1.10.1-hardened1) | | Helm-controller | [v0.16.1](https://togithub.com/k3s-io/helm-controller/releases/tag/v0.16.1) | ##### Available CNIs | Component | Version | FIPS Compliant | | --- | --- | --- | | Canal (Default) | [Flannel v0.25.4](https://togithub.com/flannel-io/flannel/releases/tag/v0.25.4)
[Calico v3.28.0](https://docs.tigera.io/calico/latest/release-notes/#v3.28) | Yes | | Calico | [v3.27.3](https://docs.tigera.io/calico/latest/release-notes/#v3.27) | No | | Cilium | [v1.15.5](https://togithub.com/cilium/cilium/releases/tag/v1.15.5) | No | | Multus | [v4.0.2](https://togithub.com/k8snetworkplumbingwg/multus-cni/releases/tag/v4.0.2) | No | #### Helpful Links As always, we welcome and appreciate feedback from our community of users. Please feel free to: - [Open issues here](https://togithub.com/rancher/rke2/issues/new) - [Join our Slack channel](https://slack.rancher.io/) - [Check out our documentation](https://docs.rke2.io) for guidance on how to get started. ### [`v1.30.2-rc7+rke2r1`](https://togithub.com/rancher/rke2/releases/tag/v1.30.2-rc7%2Brke2r1): v1.30.2-rc7+rke2r1 [Compare Source](https://togithub.com/rancher/rke2/compare/v1.30.2-rc6+rke2r1...v1.30.2-rc7+rke2r1) ### [`v1.30.2-rc6+rke2r1`](https://togithub.com/rancher/rke2/releases/tag/v1.30.2-rc6%2Brke2r1): v1.30.2-rc6+rke2r1 [Compare Source](https://togithub.com/rancher/rke2/compare/v1.30.2-rc5+rke2r1...v1.30.2-rc6+rke2r1) ### [`v1.30.2-rc5+rke2r1`](https://togithub.com/rancher/rke2/releases/tag/v1.30.2-rc5%2Brke2r1): v1.30.2-rc5+rke2r1 [Compare Source](https://togithub.com/rancher/rke2/compare/v1.30.2-rc4+rke2r1...v1.30.2-rc5+rke2r1) ### [`v1.30.2-rc4+rke2r1`](https://togithub.com/rancher/rke2/releases/tag/v1.30.2-rc4%2Brke2r1): v1.30.2-rc4+rke2r1 [Compare Source](https://togithub.com/rancher/rke2/compare/v1.30.2-rc3+rke2r1...v1.30.2-rc4+rke2r1) ### [`v1.30.2-rc3+rke2r1`](https://togithub.com/rancher/rke2/releases/tag/v1.30.2-rc3%2Brke2r1): v1.30.2-rc3+rke2r1 [Compare Source](https://togithub.com/rancher/rke2/compare/v1.30.2-rc2+rke2r1...v1.30.2-rc3+rke2r1) ### [`v1.30.2-rc2+rke2r1`](https://togithub.com/rancher/rke2/releases/tag/v1.30.2-rc2%2Brke2r1): v1.30.2-rc2+rke2r1 [Compare Source](https://togithub.com/rancher/rke2/compare/v1.30.2-rc1+rke2r1...v1.30.2-rc2+rke2r1) ### [`v1.30.2-rc1+rke2r1`](https://togithub.com/rancher/rke2/releases/tag/v1.30.2-rc1%2Brke2r1): v1.30.2-rc1+rke2r1 [Compare Source](https://togithub.com/rancher/rke2/compare/v1.30.1+rke2r1...v1.30.2-rc1+rke2r1)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

github-actions[bot] commented 4 days ago

:mag: Vulnerabilities of `ghcr.io/uniget-org/tools/rke2:1.30.2-rke2r1`

:package: Image Reference ghcr.io/uniget-org/tools/rke2:1.30.2-rke2r1

digest	`sha256:ea09fd82af1fc8be80bfb73a048e30ce54d976095e00f7344780e7c85314184a`
vulnerabilities
platform	linux/amd64
size	36 MB
packages	309

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.45.0 (golang)

pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@0.45.0

Allocation of Resources Without Limits or Throttling

Affected range	`<0.46.0`
Fixed version	`0.46.0`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

Description

### Summary The grpc Unary Server Interceptor [opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327) ``` // UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable // for use in a grpc.NewServer call. func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor { ``` out of the box adds labels - `net.peer.sock.addr` - `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. ### Details An attacker can easily flood the peer address and port for requests. ### PoC Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it. ### Impact In order to be affected, the program has to configure a metrics pipeline, use [UnaryServerInterceptor](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327), and does not filter any client IP address and ports via middleware or proxies, etc. ### Others It is similar to already reported vulnerabilities. * [GHSA-rcjv-mgp8-qvmr](https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr) ([open-telemetry/opentelemetry-go-contrib](https://github.com/open-telemetry/opentelemetry-go-contrib)) - [GHSA-5r5m-65gx-7vrh](https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh "GHSA-5r5m-65gx-7vrh") ([open-telemetry/opentelemetry-go-contrib](https://github.com/open-telemetry/opentelemetry-go-contrib)) - [GHSA-cg3q-j54f-5p7p](https://github.com/advisories/GHSA-cg3q-j54f-5p7p "GHSA-cg3q-j54f-5p7p") ([prometheus/client_golang](https://github.com/prometheus/client_golang)) ### Workaround for affected versions As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing [`otelgrpc.WithMeterProvider`](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138) option with [`noop.NewMeterProvider`](https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider). ### Solution provided by upgrading In PR [#4322](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322), to be released with v0.46.0, the attributes were removed. ### References - [#4322](https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322)

gopkg.in/square/go-jose.v2 2.6.0 (golang)

pkg:golang/gopkg.in/square/go-jose.v2@2.6.0

Improper Handling of Highly Compressed Data (Data Amplification)

Affected range	`<=2.6.0`
Fixed version	Not Fixed
CVSS Score	`4.3`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L`

Description

### Impact An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting. ### Patches The problem is fixed in the following packages and versions: - github.com/go-jose/go-jose/v4 version 4.0.1 - github.com/go-jose/go-jose/v3 version 3.0.3 - gopkg.in/go-jose/go-jose.v2 version 2.6.3 The problem will not be fixed in the following package because the package is archived: - gopkg.in/square/go-jose.v2

github.com/hashicorp/go-retryablehttp 0.7.4 (golang)

pkg:golang/github.com/hashicorp/go-retryablehttp@0.7.4

Insertion of Sensitive Information into Log File

Affected range	`<0.7.7`
Fixed version	`0.7.7`
CVSS Score	`6`
CVSS Vector	`CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N`

Description

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

github.com/docker/docker 25.0.4+incompatible (golang)

pkg:golang/github.com/docker/docker@25.0.4+incompatible

Incorrect Resource Transfer Between Spheres

Affected range	`>=25.0.0 <25.0.5`
Fixed version	`25.0.5`
CVSS Score	`5.9`
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N`

Description

Moby is an open source container framework originally developed by Docker Inc. as Docker. It is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. As a batteries-included container runtime, Moby comes with a built-in networking implementation that enables communication between containers, and between containers and external resources. Moby's networking implementation allows for creating and using many networks, each with their own subnet and gateway. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters, and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses (typically from a non-routable [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) subnet). The root network namespace (hereafter referred to as the 'host') serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an _internal_ network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly. In addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery (looking up other containers on the network by name), and resolution of names from an upstream resolver. When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver (by default, the host's configured resolver). This request is made from the container network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself. As a consequence of this design, containers solely attached to _internal_ network(s) will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved. Many systems will run a local forwarding DNS resolver, typically present on a loopback address (`127.0.0.0/8`), such as systemd-resolved or dnsmasq. Common loopback address examples include `127.0.0.1` or `127.0.0.53`. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` will detect this scenario and instead forward DNS requests from the host/root network namespace. The loopback resolver will then forward the requests to its configured upstream resolvers, as expected. ## Impact Because `dockerd` will forward DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, _internal_ networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers. For example, if the domain `evil.example` was registered, the authoritative nameserver(s) for that domain could (eventually and indirectly) receive a request for `this-is-a-secret.evil.example`. Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address. ## Patches Moby releases 26.0.0-rc3, 25.0.5 (released) and 23.0.11 (to be released) are patched to prevent forwarding DNS requests from internal networks. ## Workarounds - Run containers intended to be solely attached to _internal_ networks with a custom upstream address (`--dns` argument to `docker run`, or API equivalent), which will force all upstream DNS queries to be resolved from the container network namespace. ## Background - yair zak originally reported this issue to the Docker security team. - PR was opened in public to fix this issue, as it was not originally considered to have a security implication. - [The official documentation](https://docs.docker.com/network/drivers/ipvlan/#:~:text=If%20the%20parent,the%20network%20completely) claims that "the `--internal` flag that will completely isolate containers on a network from any communications external to that network," which necessitated this advisory and CVE.

golang.org/x/net 0.17.0 (golang)

pkg:golang/golang.org/x/net@0.17.0

Uncontrolled Resource Consumption

Affected range	`<0.23.0`
Fixed version	`0.23.0`
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`

Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

github-actions[bot] commented 4 days ago

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9817938226.

github-actions[bot] commented 4 days ago

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9817938226.

uniget-org / tools