Disable HTTP/2 for webhooks until a fix come #2881
Labels
kind/bug
Categorizes issue or PR as related to a bug.
kind/security
Issues or PRs related to security or CVEs.
Comments
|
/kind security |
knative-prow
bot
added
the
kind/security
|
/kind bug |
khrm
changed the title
|
@ReToCode Thanks. We will do the release for Tekton after updating with the fix. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We need to disable HTTP/2 for webhooks.
"
The go runtime does have a fix to mitigate the GHSA-qppj-fm5r-hxr3 to a degree, but as kubernetes/kubernetes#121197 shows, a single connection attempting to perform a denial-of-service attack against a go-based HTTP/2 server resulted in the server process quickly consuming 5 GB of memory. Additional connections would likely result in an OOM situation very quickly.
"
Please check this: kubernetes/kubernetes#121197
The text was updated successfully, but these errors were encountered: