Merge pull request #767 from anarnold97/MTA-1480-MTA-6-2-1-release-notes

MTA-1480: Release notes for MTA 6.2.1
windup · Nov 2, 2023 · ad81bb0 · ad81bb0
2 parents 28192eb + 9bbc4bd
commit ad81bb0
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/docs/release-notes/master.adoc b/docs/release-notes/master.adoc
@@ -19,6 +19,11 @@ include::topics/making-open-source-more-inclusive.adoc[]
 
 These release notes cover all _z_-stream releases of {ProductShortName} 6.2 with the most recent release listed first.
 
+[id="mta-6-2-1"]
+== {ProductShortName} 6.2.1
+
+include::topics/mta-rn-resolved-issues-6-2-1.adoc[leveloffset=+2]
+
 [id="mta-6-2-0"]
 == {ProductShortName} 6.2.0
 

diff --git a/docs/topics/mta-rn-known-issues-6-2-0.adoc b/docs/topics/mta-rn-known-issues-6-2-0.adoc
@@ -8,6 +8,36 @@
 
 MTA version 6.2.0 has the following issues.
 
+.CVE-2023-44487: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
+
+A flaw has been found in handling multiplexed streams in the HTTP/2 protocol. The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can be reset multiple streams quickly. The server has to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection, which resulted in a denial of service due to server resource consumption.
+
+The following issues have been listed under this issue:
+
+* link:https://issues.redhat.com/browse/MTA-1428[(MTA-1428)]
+* link:https://issues.redhat.com/browse/MTA-1430[(MTA-1430)]
+* link:https://issues.redhat.com/browse/MTA-1448[(MTA-1448)]
+
+To resolve this issue, upgrade to {ProductShortName} 6.2.1 or later.
+
+For more details, see link:https://access.redhat.com/security/cve/cve-2023-44487[CVE-2023-44487 (Rapid Reset Attack)]
+
+
+.CVE-2023-39325: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack in the Go language packages)
+
+The HTTP/2 protocol is susceptible to a denial of service attack because request cancellation can reset multiple streams quickly. The server has to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection. This results in a denial of service due to server resource consumption.
+
+The following issues have been listed under this issue:
+
+* link:https://issues.redhat.com/browse/MTA-1429[MTA-1429]	
+* link:https://issues.redhat.com/browse/MTA-1482[MTA-1482]	
+* link:https://issues.redhat.com/browse/MTA-1447[MTA-1447]
+
+To resolve this issue, upgrade to {ProductShortName} 6.2.1 or later.
+
+For more information, see link:https://access.redhat.com/security/cve/cve-2023-39325[CVE-2023-39325 (Rapid Reset Attack in the Go language packages)].
+
+
 .Re-enabling Keycloak breaks MTA
 
 Keycloak is enabled by default. If you disable and then re-enable Keycloak, you cannot perform any actions in the MTA web console after logging in again.

diff --git a/docs/topics/mta-rn-resolved-issues-6-2-1.adoc b/docs/topics/mta-rn-resolved-issues-6-2-1.adoc
@@ -0,0 +1,37 @@
+// Module included in the following assemblies:
+//
+// * docs/release_notes-6.2/master.adoc
+
+:_content-type: REFERENCE
+[id="mta-rn-resolved-issues-6-2-1_{context}"]
+= Resolved issues
+
+The following highlighted issues have been resolved in MTA version 6.2.1.
+
+.CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
+
+A flaw was found in handling multiplexed streams in the HTTP/2 protocol. In previous releases of MTA, the HTTP/2 protocol allowed a denial of service (server resource consumption) because request cancellation could reset multiple streams quickly. The server had to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection, which resulted in a denial of service due to server resource consumption.
+
+The following issues have been listed under this issue:
+
+* link:https://issues.redhat.com/browse/MTA-1428[(MTA-1428)]
+* link:https://issues.redhat.com/browse/MTA-1430[(MTA-1430)]
+* link:https://issues.redhat.com/browse/MTA-1448[(MTA-1448)]
+
+To resolve this issue, upgrade to {ProductShortName} 6.2.1 or later.
+
+For more information, see link:https://access.redhat.com/security/cve/cve-2023-44487[CVE-2023-44487 (Rapid Reset Attack)].
+
+.CVE-2023-39325: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack in the Go language packages)
+
+The HTTP/2 protocol is susceptible to a denial of service attack because request cancellation can reset multiple streams quickly. The server has to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection. This results in a denial of service due to server resource consumption.
+
+The following issues have been listed under this issue:
+
+* link:https://issues.redhat.com/browse/MTA-1429[MTA-1429]	
+* link:https://issues.redhat.com/browse/MTA-1482[MTA-1482]	
+* link:https://issues.redhat.com/browse/MTA-1447[MTA-1447]
+
+To resolve this issue, upgrade to {ProductShortName} 6.2.1 or later.
+
+For more information, see link:https://access.redhat.com/security/cve/cve-2023-39325[CVE-2023-39325 (Rapid Reset Attack in the Go language packages)].