Skip to content

Commit

Permalink
Ensure kubeclient >= 4.9.3 to avoid CVE-2022-0759
Browse files Browse the repository at this point in the history 
Hi, I see your code uses `Kubeclient::Config.read(ENV['KUBECONFIG'])`.
4.9.3 fixed a severe issue in Config, in some scenarios causing insecure VERIFY_NONE connections that may leak cluster credentials — ManageIQ/kubeclient#554

Your dependency range already allowed 4.9.3 but it's safer to disallow the older versions.
  • Loading branch information
@cben
cben committed Apr 12, 2022
1 parent 80430b7 commit 6d9e6bd
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion beaker-gke.gemspec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,5 @@ Gem::Specification.new do |s|

# Run time dependencies
s.add_runtime_dependency 'googleauth', '~> 0.9'
s.add_runtime_dependency 'kubeclient', '>= 4.4', '< 4.10'
s.add_runtime_dependency 'kubeclient', '>= 4.9.3', '< 5.0'
end

0 comments on commit 6d9e6bd

Please sign in to comment.