Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[UNDERTOW-2323][UNDERTOW-2311][UNDERTOW-2310][UNDERTOW-2327] CVE-2023-44487 backport fixes to branch 2.2.x #1526

Merged
merged 6 commits into from
Oct 17, 2023
Merged

[UNDERTOW-2323][UNDERTOW-2311][UNDERTOW-2310][UNDERTOW-2327] CVE-2023-44487 backport fixes to branch 2.2.x #1526

merged 6 commits into from
Oct 17, 2023

Conversation

fl4via
Copy link
Member

@fl4via fl4via commented Oct 17, 2023
edited

ropalka and others added 4 commits October 17, 2023 08:16
@ropalka @fl4via
[UNDERTOW-2311] Introducing Http2Channel.DEFAULT_MAX_CONCURRENT_STREAMS
1e41dc6
@ropalka @fl4via
[UNDERTOW-2310] Introducing UndertowOptions.DEFAULT_MAX_COOKIES
cfd36b7
@fl4via
[UNDERTOW-2311] Move the constant to UndertowOptions
0b96b36 
Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via
[UNDERTOW-2327] At Http2Channel, store the rst streams in a cache so …
48a6069 
…responses to rst streams can be handled correctly.

The cache is cleaned after a while (current default value is set to 1 minute). If, during that time, a response to a canceled request stream is received from the server, the channel will be able to detect it is not a protocol error but just a matter of timing: the server responded the request before receiving and processing the rst frame

Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via fl4via added the maintenance branch Targeting maintainance branch label Oct 17, 2023
@fl4via fl4via mentioned this pull request Oct 17, 2023
Merged
@fl4via
[UNDERTOW-2323] At Http2Channel, prevent DDoS attack where a series o…
9fe125a 
…f requests followed by rst frames canceling the requests can cause a denial of service

Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via
[UNDERTOW-2323] Update the test for handling special case where clien…
469dde8 
…t gets a connection closed by goaway before processing the responses from server

Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via fl4via merged commit 48f35cf into undertow-io:2.2.x Oct 17, 2023
34 checks passed
@fl4via fl4via deleted the 2.2.x-backport-fixes branch October 17, 2023 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
maintenance branch Targeting maintainance branch
Projects
None yet
Milestone
No milestone
2 participants
@fl4via @ropalka