-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency replicatedhq/kots to v1.117.2 #7271
base: main
Are you sure you want to change the base?
Conversation
🔍 Vulnerabilities of
|
digest | sha256:28e6097a15a171e9821c3f8c751decd5a5eb6cfedf7136d72fc53611e6041d2c |
vulnerabilities | |
platform | linux/amd64 |
size | 45 MB |
packages | 370 |
stdlib
|
Affected range | >=1.23.0-0 |
Fixed version | 1.23.1 |
Description
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
Affected range | >=1.23.0-0 |
Fixed version | 1.23.1 |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected range | >=1.23.0-0 |
Fixed version | 1.23.1 |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected range | >=1.23.0-0 |
Fixed version | 1.23.1 |
Description
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
github.com/aws/aws-sdk-go 1.55.5
(golang)
pkg:golang/github.com/aws/aws-sdk-go@1.55.5
Affected range | >=0 |
Fixed version | Not Fixed |
Description
The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.
Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.
Affected range | >=0 |
Fixed version | Not Fixed |
Description
The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.
Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.
github.com/open-policy-agent/opa 0.67.1
(golang)
pkg:golang/github.com/open-policy-agent/opa@0.67.1
Authentication Bypass by Capture-replay
Affected range | <0.68.0 |
Fixed version | 0.68.0 |
CVSS Score | 6.1 |
CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L |
Description
A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.
github.com/mholt/archiver/v3 3.5.1
(golang)
pkg:golang/github.com/mholt/archiver/v3@3.5.1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected range | >=3.0.0 |
Fixed version | Not Fixed |
CVSS Score | 6.1 |
CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N |
Description
A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.
gopkg.in/square/go-jose.v2 2.2.2
(golang)
pkg:golang/gopkg.in/square/go-jose.v2@2.2.2
Improper Handling of Highly Compressed Data (Data Amplification)
Affected range | <=2.6.0 |
Fixed version | Not Fixed |
CVSS Score | 4.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Description
Impact
An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting.
Patches
The problem is fixed in the following packages and versions:
- github.com/go-jose/go-jose/v4 version 4.0.1
- github.com/go-jose/go-jose/v3 version 3.0.3
- gopkg.in/go-jose/go-jose.v2 version 2.6.3
The problem will not be fixed in the following package because the package is archived:
- gopkg.in/square/go-jose.v2
k8s.io/apiserver 0.31.0
(golang)
pkg:golang/k8s.io/apiserver@0.31.0
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range | <1.15.10 |
Fixed version | 1.15.10, 1.16.7, 1.17.3 |
CVSS Score | 4.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Description
The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.
github.com/kopia/kopia 0.10.7
(golang)
pkg:golang/github.com/kopia/kopia@0.10.7
Exposure of Sensitive Information to an Unauthorized Actor
Affected range | <0.16.0 |
Fixed version | 0.16.0 |
CVSS Score | 2 |
CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N |
Description
Impact
What kind of vulnerability is it? Who is impacted?
Storage credentials are written to the console.
Patches
Has the problem been patched? Yes, see #3589
What versions should users upgrade to?
- Any version after or including commit 1d6f852cd6534f4bea978cbdc85c583803d79f77
- No release has been created yet.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Be aware that
kopia repo status --json
will write the credentials to the output without scrubbing them.- Avoid executing
kopia repo status
with the--json
flag in an insecure environment where.- Avoid logging the output of the
kopia repo status --json
command.
Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/10963018464. |
PR is blocked and can not be merged. See https://github.com/uniget-org/tools/actions/runs/10963018464. |
This PR contains the following updates:
1.117.1
->1.117.2
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
replicatedhq/kots (replicatedhq/kots)
v1.117.2
Compare Source
Changelog
10a8c23
feat(ec): support for custom admin console and lam ports (#4909)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.