Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

CHANGELOG-3.4: fix --cipher-suites flag change

Browse Source 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
This commit is contained in:
Gyuho Lee 2018-06-18 09:25:34 -07:00
parent d866cf8a9e
commit b98f0c9190
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG-3.4.md
View File

@ -178,8 +178,7 @@ See [security doc](https://github.com/coreos/etcd/blob/master/Documentation/op-g
- Support TLS cipher suite whitelisting.
- To block [weak cipher suites](https://github.com/coreos/etcd/issues/8320).
- TLS handshake fails when client hello is requested with invalid cipher suites.
- Add [`etcd --client-cipher-suites`](https://github.com/coreos/etcd/pull/9801) flag.
- Add [`etcd --peer-cipher-suites`](https://github.com/coreos/etcd/pull/9801) flag.
- Add [`etcd --cipher-suites`](https://github.com/coreos/etcd/pull/9801) flag.
- If empty, Go auto-populates the list.
- Add [`etcd --host-whitelist`](https://github.com/coreos/etcd/pull/9372) flag, [`etcdserver.Config.HostWhitelist`](https://github.com/coreos/etcd/pull/9372), and [`embed.Config.HostWhitelist`](https://github.com/coreos/etcd/pull/9372), to prevent ["DNS Rebinding"](https://en.wikipedia.org/wiki/DNS_rebinding) attack.
- Any website can simply create an authorized DNS name, and direct DNS to `"localhost"` (or any other address). Then, all HTTP endpoints of etcd server listening on `"localhost"` becomes accessible, thus vulnerable to [DNS rebinding attacks (CVE-2018-5702)](https://bugs.chromium.org/p/project-zero/issues/detail?id=1447#c2).