-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency containerd/containerd to v1.7.19 #5632
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Auto-approved because label type/renovate is present.
🔍 Vulnerabilities of
|
digest | sha256:4f2aa6e4dfa478808b190bbaf0b917eece88a360f43ae07b2c133a36f45af8bd |
vulnerabilities | |
platform | linux/amd64 |
size | 49 MB |
packages | 131 |
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
|
Affected range | <0.46.0 |
Fixed version | 0.46.0 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Description
Summary
The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
// UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable // for use in a grpc.NewServer call. func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
out of the box adds labels
net.peer.sock.addr
net.peer.sock.port
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent.
Details
An attacker can easily flood the peer address and port for requests.
PoC
Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc.
Others
It is similar to already reported vulnerabilities.
- GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib)
- GHSA-cg3q-j54f-5p7p (prometheus/client_golang)
Workaround for affected versions
As a workaround to stop being affected, a view removing the attributes can be used.
The other possibility is to disable grpc metrics instrumentation by passing
otelgrpc.WithMeterProvider
option withnoop.NewMeterProvider
.Solution provided by upgrading
In PR #4322, to be released with v0.46.0, the attributes were removed.
References
k8s.io/apiserver 0.26.2
(golang)
pkg:golang/k8s.io/[email protected]
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range | <1.15.10 |
Fixed version | 1.15.10, 1.16.7, 1.17.3 |
CVSS Score | 4.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Description
The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.
stdlib 1.21.11
(golang)
pkg:golang/[email protected]
Affected range | <1.21.12 |
Fixed version | 1.21.12 |
Description
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.
An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9773313273. |
PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9773313273. |
This PR contains the following updates:
1.7.18
->1.7.19
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
containerd/containerd (containerd/containerd)
v1.7.19
: containerd 1.7.19Compare Source
Welcome to the v1.7.19 release of containerd!
The nineteenth patch release for containerd 1.7 contains various updates and
splits the main module from the api module in preparation for the same change
in containerd 2.0. Splitting the modules will allow 1.7 and 2.x to both exist
as transitive dependencies without running into API registration errors.
Projects should use this version as the minimum 1.7 version in preparing to
use containerd 2.0 or to be imported alongside it.
Highlights
Container Runtime Interface (CRI)
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
70 commits
74a3d2901
Prepare release notes for v1.7.197f5d3c5f4
cri: ensure NRI API never has nil CRI6efc5bb89
update runhcs binary to v0.11.7945ae09fd
Windows: Supply windows shim version via filedba53578c
pkg/reference: deprecate SplitObject415dd74a8
updating hcsshim to 0.11.75ad1d2e75
pkg/reference: Spec.Digest(): inline SplitObject code57ce09b42
pkg/reference: SplitObject: add proper GoDoc78ac93fed
pkg/reference: SplitObject: zero allocationsb074e3a7c
pkg/reference: Spec.String(): use string-concatenation instead of sprintf0eb786de6
Update api version to v1.7.19436feeb0d
Prepare api release for v1.7.1983822d144
Add api release action2a6aa6ddf
[release/1.7] api: update github.com/containerd/ttrpc v1.2.537926b10d
vendor: github.com/containerd/ttrpc v1.2.5a522e267e
golangci-lint fix typo in depguard message1ce1c8f3e
1.7: Add back support for OTLP config from toml136e1b72d
golangci-lint: enable depguard for packages that movedf5ce2f204
remove imports of errdefs package3be919f3c
Add support for 1.8 interfaces5b87eb502
Add go mod replace when proto changes happena3a7431bc
Add api go submodule61b3e2261
Alias protobuf plugin to new api types package4b82470f6
refactor: move plugin/fieldpath to api/types/24ce9e431
integration: backport upgrade testsuite's utils79500d5cb
*: export RemoveVolatileOption for CRI image volumesbb80bd768
strip-volatile-option-tmp-mounts6dce90b15
update runc binary to v1.1.13884094be8
devmapper plugin: skip plugin when not configured40012b644
Fail integration test early when a plugin load fails869b78677
vendor: github.com/containerd/platforms v0.2.16ccdf6977
platforms: mark aliases as deprecated19a056163
adjust default platform for backward-compatibility6ff3e09d2
migrate platforms package to github.com/containerd/platforms327a3ac61
go.mod: github.com/klauspost/compress v1.16.7d0d1264a6
vendor: github.com/klauspost/compress v1.16.502b8dd5ff
Remove cirrus configuration31d951bf5
Run vagrant integration tests as github actions97abbe9cb
build(deps): bump github.com/distribution/reference from 0.5.0 to 0.6.0a00a2d20a
reference/docker: remove deprecated SplitHostnameb38c0f2ef
replace reference/docker for github.com/distribution/reference v0.5.0fef432bfe
build(deps): bump go.etcd.io/bbolt from 1.3.9 to 1.3.10487c61bfb
vendor: go.etcd.io/bbolt v1.3.97211f87c4
build(deps): bump golang.org/x/sync from 0.4.0 to 0.5.0e908c3e6f
vendor: golang.org/x/sync v0.4.0d814be5ce
build(deps): bump go.etcd.io/bbolt from 1.3.7 to 1.3.833b62936e
[release/1.7]: HPC working directory fix in pkg/cri/server codeChanges from containerd/platforms
21 commits
f680838
Remove hcsshim import from repo983ba15
Update windows matcher to not compare empty os version17c859f
Add tests for osversion matching with no version38a74d2
Add grammar for platform string724b9f8
downgrade minimum required version of hcsshim to v0.10.0f6dd384
enable linter on windowscb03428
fix grammar and highlights in README5b937b0
Fix link in README129b256
Update linter to skip Windows18e3da6
Add Github actions CIed29dfd
Remove space at end of readmeb3f80ee
Add go module8ff004c
Add license and readmeChanges from containerd/ttrpc
4 commits
4785c70
switch to github.com/containerd/log for logse0f3ead
Fix CI build status badge in readmeDependency Changes
Previous release can be found at v1.7.18
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.