Bug 1745627

Summary: [operator-regsitry] Address grpc-go CVEs
Product: OpenShift Container Platform Reporter: Evan Cordell <ecordell>
Component: OLMAssignee: Evan Cordell <ecordell>
OLM sub component: OLM QA Contact: Jian Zhang <jiazha>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high    
Version: 4.2.0   
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1745629 (view as bug list) Environment:
Last Closed: 2019-10-16 06:37:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1745629    

Description Evan Cordell 2019-08-26 14:13:18 UTC 
Description of problem:

There are three CVEs in grpc-go:

CVE-2019-9512 (Ping Flood)
CVE-2019-9514 (Reset Flood)
CVE-2019-9515 (Settings Flood)

These are fixed in https://github.com/grpc/grpc-go/pull/2970

Version-Release number of selected component (if applicable):
operator-registry v1.3.0
Comment 3 Evan Cordell 2019-08-27 19:15:29 UTC 
Hi Jian,

We just bumped the dependencies to address this. I don't have a way to reproduce the bug, it's a preventative measure.
Comment 4 Jian Zhang 2019-08-28 10:55:06 UTC 
Hi, Evan

Thanks!

I couldn't find any poc for this CVE. So, we run a regression test, and no more bug found, LGTM, verify it, thanks!
Comment 5 errata-xmlrpc 2019-10-16 06:37:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922