Merge pull request #1422 from 3scale/backport-2.14-lua_check_client_a…

…bort Backport 2.14 THREESCALE-10224 CVE-2023-44487 http/2 rapid reset
3scale · Nov 2, 2023 · efaf599 · efaf599
2 parents 00b57c4 + bc5d063
commit efaf599
Show file tree

Hide file tree

Showing 13 changed files with 58 additions and 400 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -105,7 +105,7 @@ executors:
   openresty:
     working_directory: /opt/app-root/apicast
     docker:
-      - image: quay.io/3scale/apicast-ci:openresty-1.19.3-pr1379
+      - image: quay.io/3scale/apicast-ci:openresty-1.19.3-23
       - image: redis:3.2.8-alpine
     environment:
       TEST_NGINX_BINARY: openresty

diff --git a/.codecov.yml b/.codecov.yml
@@ -6,3 +6,14 @@ ignore:
   - t
   - bin/busted.lua
   - examples
+
+coverage:
+  status:
+    project:
+      default:
+        target: auto
+        threshold: 3%
+    patch:
+      default:
+        target: auto
+        threshold: 3%
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+### Fixed
+
+- Fixed CVE-2023-44487 (HTTP/2 Rapid Reset) [PR #1417](https://github.com/3scale/apicast/pull/1417) [THREESCALE-10224](https://issues.redhat.com/browse/THREESCALE-10224)
+
 ### Added
 
 - Detect number of CPU shares when running on Cgroups V2 [PR #1410](https://github.com/3scale/apicast/pull/1410) [THREESCALE-10167](https://issues.redhat.com/browse/THREESCALE-10167)

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8:8.5
 
-ARG OPENRESTY_RPM_VERSION="1.19.3-21.el8"
+ARG OPENRESTY_RPM_VERSION="1.19.3-23.el8"
 ARG LUAROCKS_VERSION="2.3.0"
 ARG JAEGERTRACING_CPP_CLIENT_RPM_VERSION="0.3.1-13.el8"
 

diff --git a/Dockerfile.devel b/Dockerfile.devel
@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8:8.5
 
-ARG OPENRESTY_RPM_VERSION="1.19.3-21.el8"
+ARG OPENRESTY_RPM_VERSION="1.19.3-23.el8"
 ARG LUAROCKS_VERSION="2.3.0"
 ARG JAEGERTRACING_CPP_CLIENT_RPM_VERSION="0.3.1-13.el8"
 

diff --git a/Makefile b/Makefile
@@ -13,7 +13,7 @@ NPROC ?= $(firstword $(shell nproc 2>/dev/null) 1)
 
 SEPARATOR="\n=============================================\n"
 
-DEVEL_IMAGE ?= quay.io/3scale/apicast-ci:openresty-1.19.3-pr1379
+DEVEL_IMAGE ?= quay.io/3scale/apicast-ci:openresty-1.19.3-23
 DEVEL_DOCKERFILE ?= Dockerfile.devel
 
 RUNTIME_IMAGE ?= quay.io/3scale/apicast:latest
@@ -66,9 +66,9 @@ export COMPOSE_PROJECT_NAME
 # The development image is also used in CI (circleCI) as the 'openresty' executor
 # When the development image changes, make sure to:
 # * build a new development image:
-#     make dev-build IMAGE_NAME=quay.io/3scale/apicast-ci:openresty-1.19.3-pr{NUM}
+#     make dev-build IMAGE_NAME=quay.io/3scale/apicast-ci:openresty-X.Y.Z-{release_number}
 # * push to quay.io/3scale/apicast-ci with a fixed tag (avoid floating tags)
-#     docker push quay.io/3scale/apicast-ci:openresty-1.19.3-pr{NUM}
+#     docker push quay.io/3scale/apicast-ci:openresty-X.Y.Z-{release_number}
 # * update .circleci/config.yaml openresty executor with the image URL
 .PHONY: dev-build
 dev-build: export OPENRESTY_RPM_VERSION?=1.19.3

diff --git a/doc/centos-installation.md b/doc/centos-installation.md