Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

=doc add security advisory for decodeRequest issue (#2137) #2200

Merged
merged 3 commits into from
Sep 5, 2018
Merged

=doc add security advisory for decodeRequest issue (#2137) #2200

merged 3 commits into from
Sep 5, 2018

Conversation

jrudolph
Copy link
Member

@jrudolph jrudolph commented Sep 5, 2018

No description provided.

@akka-ci akka-ci added validating PR that is currently being validated by Jenkins tested PR that was successfully built and tested by Jenkins and removed validating PR that is currently being validated by Jenkins labels Sep 5, 2018
@akka-ci
Copy link

akka-ci commented Sep 5, 2018

Test PASSed.

raboof
raboof approved these changes Sep 5, 2018
View reviewed changes
Copy link
Member

@raboof raboof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! 👍

jlprat
jlprat approved these changes Sep 5, 2018
View reviewed changes
Copy link
Member

@jlprat jlprat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

ktoso
ktoso reviewed Sep 5, 2018
View reviewed changes
docs/src/main/paradox/security/2018-09-05-denial-of-service-via-decodeRequest.md Outdated
All previosly released Akka HTTP versions are affected:

* 10.1.x <= 10.1.4
* 10.0.x <= 10.0.13
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this reads a bit weird to be honest... is this the established way to show version ranges we have adopted?
I think we did - akka-http prior to 10.0.6and 2.4.11.2``

ktoso
ktoso reviewed Sep 5, 2018
View reviewed changes
docs/src/main/paradox/security/2018-09-05-denial-of-service-via-decodeRequest.md

* Play and Lagom applications, even though both are using Akka HTTP as their server backend,
remain unaffected by this vulnerability. This is because they implement their own content
length validations on top of the underlying models (by using `BodyParser`s).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good

ktoso
ktoso reviewed Sep 5, 2018
View reviewed changes
Copy link
Member

@ktoso ktoso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, one comment tho

@akka-ci akka-ci added validating PR that is currently being validated by Jenkins tested PR that was successfully built and tested by Jenkins and removed tested PR that was successfully built and tested by Jenkins validating PR that is currently being validated by Jenkins labels Sep 5, 2018
@akka-ci
Copy link

akka-ci commented Sep 5, 2018

Test PASSed.

@raboof raboof merged commit d607e54 into akka:master Sep 5, 2018
@jrudolph jrudolph deleted the jr/security-advisory-ddos branch September 6, 2018 10:38
Synesso pushed a commit to Synesso/akka-http that referenced this pull request Sep 17, 2018
@jrudolph @Synesso
=doc add security advisory for decodeRequest issue (akka#2137) (akka#…
759c275 
…2200)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ktoso ktoso ktoso left review comments

@raboof raboof raboof approved these changes

@jlprat jlprat jlprat approved these changes

Assignees
No one assigned
Labels
tested PR that was successfully built and tested by Jenkins
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jrudolph @akka-ci @ktoso @raboof @jlprat