The release notes for the Custom Metrics Autoscaler Operator for Red Hat OpenShift describe new features and enhancements, deprecated features, and known issues.
The Custom Metrics Autoscaler Operator uses the Kubernetes-based Event Driven Autoscaler (KEDA) and is built on top of the Red Hat OpenShift Service on AWS horizontal pod autoscaler (HPA).
The Custom Metrics Autoscaler Operator for Red Hat OpenShift is provided as an installable component, with a distinct release cycle from the core Red Hat OpenShift Service on AWS. The Red Hat OpenShift Container Platform Life Cycle Policy outlines release compatibility. |
The following table defines the Custom Metrics Autoscaler Operator versions for each Red Hat OpenShift Service on AWS version.
Version | Red Hat OpenShift Service on AWS version | General availability |
---|---|---|
2.12.1 |
4.15 |
General availability |
2.12.1 |
4.14 |
General availability |
2.12.1 |
4.13 |
General availability |
2.12.1 |
4.12 |
General availability |
This release of the Custom Metrics Autoscaler Operator 2.12.1-394 provides a bug fix for running the Operator in an Red Hat OpenShift Service on AWS cluster. The following advisory is available for the RHSA-2024:2901.
Before installing this version of the Custom Metrics Autoscaler Operator, remove any previously installed Technology Preview versions or the community-supported version of KEDA. |
Previously, the protojson.Unmarshal
function entered into an infinite loop when unmarshaling certain forms of invalid JSON. This condition could occur when unmarshaling into a message that contains a google.protobuf.Any
value or when the UnmarshalOptions.DiscardUnknown
option is set. This release fixes this issue. (OCPBUGS-30305)
Previously, when parsing a multipart form, either explicitly with the Request.ParseMultipartForm
method or implicitly with the Request.FormValue
, Request.PostFormValue
, or Request.FormFile
method, the limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This could have permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With this fix, the parsing process now correctly limits the maximum size of form lines. (OCPBUGS-30360)
Previously, when following an HTTP redirect to a domain that is not on a matching subdomain or on an exact match of the initial domain, an HTTP client would not forward sensitive headers, such as Authorization
or Cookie
. For example, a redirect from example.com to www.example.com would forward the Authorization
header; but a redirect to www.example.org would not forward the header. A maliciously crafted HTTP redirect could have caused sensitive headers to be unexpectedly forwarded. This release fixes this issue. (OCPBUGS-30365)
Previously, verifying a certificate chain that contains a certificate with an unknown public key algorithm caused the certificate verification process to panic. This condition affected all crypto and TLS clients and servers that set the Config.ClientAuth
parameter to the VerifyClientCertIfGiven
or RequireAndVerifyClientCert
value. The default behavior is for TLS servers to not verify client certificates. This release fixes this issue. (OCPBUGS-30370)
Previously, if errors returned from the MarshalJSON
method contained user-controlled data, the data could have been used to break the contextual auto-escaping behavior of the HTML template package. This condition would allow for subsequent actions to inject unexpected content into the templates. This release fixes this issue. (OCPBUGS-30397)
Previously, the net/http
and golang.org/x/net/http2
Go packages did not limit the number of CONTINUATION
frames that were read for an HTTP/2 request. This condition could permit an attacker to provide an arbitrarily large set of headers for a single request, which would be read, decoded, and subsequently discarded. This could result in excessive CPU consumption. This release fixes this issue. (OCPBUGS-30894)