HTTP2 CVEs #134
Comments
|
At this point I think the only robust way to test this would be to try them out. Are there any tools that we can point at an Ace server and see how it manages. Some of these issues I think would be at a lower level than Ace, but probably not all of them |
|
I'm not aware of any tools to test these things. Not sure about it being at a lower level either. I assumed since this lib implemented the server side of HTTP2, it'd be the place that fixes it. For, cowboy, these were the changes they made: ninenines/cowboy@ab44985 |
|
It probably is the place for most of the fixes that are required. Probably the best thing to do would be to port the tests that were added in that commit you shared. then we would have a framework to check the fixes had worked |
A number of CVE's were published yesterday that affect a lot of HTTP2 implementations. I wanted to flag them here in case ace is also vulnerable to any of them.
Relevant vulnerabilities: https://www.kb.cert.org/vuls/id/605641/
Example of some mitigations: kubernetes/ingress-nginx@333d9fd
The text was updated successfully, but these errors were encountered: