Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2023-44487, HTTP/2 reset floods #3475

Merged
merged 1 commit into from
Oct 10, 2023
Merged

Fix CVE-2023-44487, HTTP/2 reset floods #3475

merged 1 commit into from
Oct 10, 2023

Conversation

dlvenable
Copy link
Member

Description

Resolve Netty to 4.1.100.Final, require Jetty 11.0.17 in Data Prepper. Use Tomcat 10.1.14 in the example project. These changes fix CVE-2023-44487 to protect against HTTP/2 reset floods.

Issues Resolved

#3474

Check List

  • New functionality includes testing.
  • New functionality has a documentation issue. Please link to it in this PR.
    • New functionality has javadoc added
  • Commits are signed with a real name per the DCO

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@dlvenable
Resolve Netty to 4.1.100.Final, require Jetty 11.0.17 in Data Prepper…
0c1058e 
…. Use Tomcat 10.1.14 in the example project. These changes fix CVE-2023-44487 to protect against HTTP/2 reset floods. Resolves opensearch-project#3474.

Signed-off-by: David Venable <[email protected]>
@dlvenable dlvenable merged commit d3179f0 into opensearch-project:main Oct 10, 2023
54 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 10, 2023
@dlvenable @github-actions
Resolve Netty to 4.1.100.Final, require Jetty 11.0.17 in Data Prepper…
d22da35 
…. Use Tomcat 10.1.14 in the example project. These changes fix CVE-2023-44487 to protect against HTTP/2 reset floods. Resolves #3474. (#3475)

Signed-off-by: David Venable <[email protected]>
(cherry picked from commit d3179f0)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Oct 10, 2023
Merged
dlvenable added a commit that referenced this pull request Oct 11, 2023
@opensearch-trigger-bot @dlvenable
Resolve Netty to 4.1.100.Final, require Jetty 11.0.17 in Data Prepper…
56283fd 
…. Use Tomcat 10.1.14 in the example project. These changes fix CVE-2023-44487 to protect against HTTP/2 reset floods. Resolves #3474. (#3475) (#3477)

Signed-off-by: David Venable <[email protected]>
(cherry picked from commit d3179f0)

Co-authored-by: David Venable <[email protected]>
@dlvenable dlvenable deleted the 3474-http2-reset-floods-cve branch October 11, 2023 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@engechas engechas engechas approved these changes

@graytaylor0 graytaylor0 graytaylor0 approved these changes

@chenqi0805 chenqi0805 Awaiting requested review from chenqi0805 chenqi0805 is a code owner

@dinujoh dinujoh Awaiting requested review from dinujoh dinujoh is a code owner

@kkondaka kkondaka Awaiting requested review from kkondaka kkondaka is a code owner

@asifsmohammed asifsmohammed Awaiting requested review from asifsmohammed

@oeyh oeyh Awaiting requested review from oeyh oeyh is a code owner

Assignees
No one assigned
Labels
backport 2.5
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dlvenable @graytaylor0 @engechas