Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

don't handle v1 protocol (at least not by default) #1129

Open
rade opened this issue Jul 14, 2015 · 1 comment
Open

don't handle v1 protocol (at least not by default) #1129

rade opened this issue Jul 14, 2015 · 1 comment
Labels
chore [component/mesh] [component/router]

Comments

@rade
Copy link
Member

rade commented Jul 14, 2015

In order to fix #912 we changed the protocol in #1098, bumping the version to v2. For backward compatibility, the router can still also speak v1. That means the vulnerability identified in #912 is still present, unless the router is configured with --min-protocol-version=2, since an attacker can simply claim to only speak v1. So we should either remove v1 protocol completely, or change the default value of min-protocol-version to 2. If we do this in weave 1.2, this gives users a clean rolling upgrade path, from 1.0, i.e. they can first roll out an upgrade to 1.1, which speaks both protocol versions, and then to 1.2.
@rade rade added the chore label Jul 14, 2015
@rade rade mentioned this issue Dec 29, 2015
Closed
@bboreham
Copy link
Contributor

Some thoughts on how to do the change at #1396 (comment)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
chore [component/mesh] [component/router]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rade @bboreham