Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepare Release 0.47.1 #5454

Merged
merged 3 commits into from Dec 7, 2022

Conversation

srenatus
Copy link
Contributor

@srenatus srenatus commented Dec 7, 2022

This is a bug fix release addressing two issues: one security issue, and one bug
related to formatting backwards-compatibility.

Golang security fix CVE-2022-41717

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.
Since we advise against running an OPA service exposed to the general public of the
internet, potential attackers would be limited to people that are already capable of
sending direct requests to the OPA service.

opa fmt and backwards compatibility (#5449)

In v0.46.1, it was possible that opa fmt would format a rule in such a way that:

  1. Before formatting, it was working fine with older OPA versions, and
  2. after formatting, it would only work with OPA version >= 0.46.1.

This backwards incompatibility wasn't intended, and has now been fixed.


I've included the release notes of 0.46.2 as a "and 0.46.2", it would only have been boring duplication otherwise.

But this release commit includes the capabilities of 0.46.2 and 0.47.1, so all binaries have a complete view of their history.

Fixes CVE-2022-41717:

> net/http: limit canonical header cache by bytes, not entries

https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
…cy-agent#5450)

Before, we'd end up formatting

    ps["foo"] = "bar" { true }

as

    ps.foo = "bar" { true }

and older OPA version know how to parse the former, but not
the latter.

Fixes open-policy-agent#5449.

Also includes:
* format: pass internal options via struct; because adding a third (in some cases
   fifth) boolean argument just didn't seem right.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
@netlify
Copy link

netlify bot commented Dec 7, 2022

Deploy Preview for openpolicyagent ready!

Name Link
🔨 Latest commit 77596c5
🔍 Latest deploy log https://app.netlify.com/sites/openpolicyagent/deploys/6390934b04f2ae0008703c73
😎 Deploy Preview https://deploy-preview-5454--openpolicyagent.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

Copy link
Contributor

@charlieegan3 charlieegan3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@srenatus srenatus merged commit 20f2b04 into open-policy-agent:release-0.47 Dec 7, 2022
@srenatus srenatus deleted the sr/release-0.47.1 branch December 7, 2022 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants