Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Envoy Proxy to resolve CVE-2024-30255 #5627

Open
ZiqianXu opened this issue Apr 9, 2024 · 1 comment
Open

Upgrade Envoy Proxy to resolve CVE-2024-30255 #5627

ZiqianXu opened this issue Apr 9, 2024 · 1 comment

Comments

@ZiqianXu
Copy link

ZiqianXu commented Apr 9, 2024
edited

Describe the bug
Envoy Proxy has published a security advisory regarding CVE-2024-30255 HTTP/2: CPU exhaustion due to CONTINUATION frame flood. Is Emissary-ingress affected by CVE-2024-30255? If so, should it be upgraded to the fixed Envoy release 1.28.2?

Thanks!
@cindymullins-dw
Copy link
Contributor

Ambassador will push a PR to address this soon (Moderate security level) but we are not planning any releases at this time. The Emissary release schedule now depends on the Maintainers and is currently TBD (since our decoupling of Emissary releases from the licensed version Edge Stack late last year). It is possible to build Emissary from source to capture PRs that have been merged but not yet released. Feel free to direct questions to me (Cindy Mullins) at a8r.io/slack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cindymullins-dw @ZiqianXu