[release-4.18] OCPBUGS-86715: Strip X-SSL-* headers for plain HTTP#800
Conversation
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughThe HAProxy config template gains conditional ChangesX-SSL Header Spoofing Mitigation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5 | ❌ 10❌ Failed checks (10 inconclusive)
✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsGit: Failed to clone repository. Please run the Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
I’ve created a cluster using the PR that includes the merged fix from PR #800. The corresponding ClusterVersion is: 4.18.0-0-2026-06-30-054954-test-ci-ln-p9spn1k-latest After inspecting one of the pods, I confirmed that the latest changes from the PR are present in the Router , SNI and NO SNI code paths, Therefore succesfully indicating that the fix has been successfully deployed These are the same changes that were introduced in #800 # Strip off X-SSL* headers for plain HTTP if not explicitly disabled. /Verified by ci |
|
@UdayYendva: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
This is a clean cherry-pick of #799. /approve You do have a typo in the PR title and in the commit message: "OCPBUGS-OCPBUGS-86715". Do you want to fix that while #799 goes through CI and verification? I can re- This is a medium-risk backport. The assessment for the release-4.21 backport #795 (comment) applies equally to the release-4.18 backport. /label backport-risk-assessed |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/jira refresh |
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
e2848a1 to
4dddbe9
Compare
|
/retitle [release-4.18] OCPBUGS-86715: Strip X-SSL-* headers for plain HTTP |
|
@Miciah Thanks! I've corrected the commit and PR title as well. Could you please provide an LGTM? |
|
Thanks! /lgtm |
|
Changing the commit message shouldn't affect the validity of the earlier verification, so per #800 (comment), |
|
@Miciah: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test e2e-aws-serial |
|
@MrSanketkumar: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/jira refresh |
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
e5c059e
into
openshift:release-4.18
|
@MrSanketkumar: Jira Issue OCPBUGS-86715: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged: All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-86715 has not been moved to the MODIFIED state. This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Fix included in release 4.18.0-0.nightly-2026-07-08-092428 |
Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection
Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.
Changes:
Summary by CodeRabbit
Release Notes