OADP-2948: OADP 1.1.7 release notes

Signed-off-by: Andy Arnold <[email protected]>

Author: anarnold97

backup_and_restore/application_backup_and_restore/oadp-release-notes.adoc

@@ -15,6 +15,8 @@ include::modules/oadp-release-notes-1-2-1.adoc[leveloffset=+1]
 
 include::modules/oadp-release-notes-1-2-0.adoc[leveloffset=+1]
 
+include::modules/oadp-release-notes-1-1-7.adoc[leveloffset=+1]
+
 include::modules/oadp-release-notes-1-1-6.adoc[leveloffset=+1]
 
 include::modules/oadp-release-notes-1-1-5.adoc[leveloffset=+1]

modules/oadp-release-notes-1-1-1.adoc

@@ -15,6 +15,16 @@ Before you install OADP 1.1.1, it is recommended to either install VolSync 0.5.1
 
 This release has the following known issues:
 
+* Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
++
+The HTTP/2 protocol is susceptible to a denial of service attack because request cancellation can reset multiple streams quickly. The server has to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection. This results in a denial of service due to server resource consumption. For a list of all OADP issues associated with this CVE, see the following link:https://issues.redhat.com/browse/OADP-2868?filter=12421248[Jira list].
++
+It is advised to upgrade to OADP 1.1.7 or 1.2.3, which resolve this issue.
++
+For more information, see link:https://access.redhat.com/security/cve/cve-2023-39325[CVE-2023-39325 (Rapid Reset Attack)].
++
+
+
 * OADP currently does not support backup and restore of AWS EFS volumes using restic in Velero (link:https://issues.redhat.com/browse/OADP-778[*OADP-778*]).
 
 * CSI backups might fail due to a Ceph limitation of `VolumeSnapshotContent` snapshots per PVC.

modules/oadp-release-notes-1-1-7.adoc

@@ -0,0 +1,32 @@
+// Module included in the following assemblies:
+//
+// * backup_and_restore/oadp-release-notes.adoc
+
+:_content-type: REFERENCE
+[id="migration-oadp-release-notes-1-1-7_{context}"]
+= OADP 1.1.7 release notes
+
+The OADP 1.1.7 release notes lists any resolved issues and known issues.
+
+
+[id="resolved-issues1.1.7_{context}"]
+== Resolved issues
+
+The following highlighted issues are resolved in OADP 1.1.7:
+
+.Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
+
+In previous releases of OADP 1.1, the HTTP/2 protocol was susceptible to a denial of service attack because request cancellation could reset multiple streams quickly. The server had to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection. This resulted in a denial of service due to server resource consumption. For a list of all OADP issues associated with this CVE, see the following link:https://issues.redhat.com/browse/OADP-2868?filter=12421248[Jira list].
+
+For more information, see link:https://access.redhat.com/security/cve/cve-2023-39325[CVE-2023-39325 (Rapid Reset Attack)].
+
+For a complete list of all issues resolved in the release of OADP 1.1.7, see the list of link:https://issues.redhat.com/browse/OADP-2094?filter=12422262[OADP 1.1.7 resolved issues] in Jira.
+
+
+[id="known-issues1.1.7_{context}"]
+== Known issues
+
+There are no known issues in the release of OADP 1.1.7.
+
+
+