Uploaded image for project: 'Cert Manager support for Red Hat OpenShift'
  1. Cert Manager support for Red Hat OpenShift
  2. CM-254

HTTP/2 Rapid Reset CVEs Analysis for cert-manager-operator 1.11-1.13

XMLWordPrintable

    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • CFE Sprint 247, CFE Sprint 248

      During last release of cert-manager-operator.v1.11.5, v1.12.1 we aimed at applying remediation to our downstream repositories both operand, operator based upon vulnerabilities found in CVE-2023-44487 and CVE-2023-39325 by following guidance from https://docs.google.com/document/d/1F99glzhX2i2Ppe5Qq3M-Po_jSSUiVssqFyWRhVm1X3o/edit.

      However, as of today seemingly these CVE fixes have also been properly incorporated in the upstream cert-manager which calls for analysis if we want to revert the downstream patch commits and pull upstream commits back again. This analysis would help conclude next steps for such items including the new CVEs as well remediation carry/drop for the older fixes incorporated.

       

      Acceptance criteria:

      1. Decide if operator (and it's respective operand cert-manager) for v1.11, v1.12 needs a new z-stream release with altered commits, new CVE fixes, etc.

              swghosh@redhat.com Swarup Ghosh
              swghosh@redhat.com Swarup Ghosh
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: