Uploaded image for project: 'Multiple Architecture Enablement'
  1. Multiple Architecture Enablement
  2. MULTIARCH-4647

Triage CVE-2023-45288 - openshift/ibm-powervs-block-csi-driver: bump x/net

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • ppc64le
    • NEW

      https://issues.redhat.com/browse/MULTIARCH-4613

      ```
      [Several weeks ago] the embargo lifted on CVE-2023-45288. This is a weakness in Go’s implementation of the HTTP/2 protocol which allows for denial of service attacks. It affects http2 packages in both Go’s standard library as well as [golang.org/x/net|http://golang.org/x/net].

      OCP engineering and management have been working together with ProdSec to identify vulnerable OCP components and create trackers for those only. Kubernetes itself (think core components, i.e apiserver, scheduler, etc) has already received fixes.

      We have also been working with running clusters to identify anything that exposes (internally and externally) servers with HTTP/2 support.

      If you know your component is vulnerable to CVE-2023-45288, and you don't see it in[ this list|https://docs.google.com/spreadsheets/d/1mAbDEqE0cit5Zd0xqjZUtL-mdzitqOit6uk5o0azY3Y/edit#gid=1470083757] please reach out so we can get your component there as soon as possible. ProdSec will be using this list to create CVE trackers in OCPBUGS for each affected component.
      ```

              Unassigned Unassigned
              kviswana Kishen V
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: