mirror of https://github.com/linkerd/linkerd2.git
cb276032f5
Netflix recently announced a security advisory that identified several Denial of Service attack vectors that can affect server implementations of the HTTP/2 protocol, and has issued eight CVEs. [1] Go is affected by two of the vulnerabilities (CVE-2019-9512 and CVE-2019-9514) and so Linkerd components that serve HTTP/2 traffic are also affected. [2] These vulnerabilities allow untrusted clients to allocate an unlimited amount of memory, until the server crashes. The Kubernetes Product Security Committee has assigned this set of vulnerabilities with a CVSS score of 7.5. [3] [1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md [2] https://golang.org/doc/devel/release.html#go1.12 [3] https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
||
|---|---|---|
| .. | ||
| app | ||
| srv | ||
| templates | ||
| Dockerfile | ||
| main.go | ||