Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency for Kubeclient::Config vulnerability #115

Closed
wants to merge 1 commit into from
Closed

Update dependency for Kubeclient::Config vulnerability #115

wants to merge 1 commit into from

Conversation

cben
Copy link

@cben cben commented Mar 25, 2022

Proposed changes

See ManageIQ/kubeclient#554, I fixed an embarrasing vulnerability in Kubeclient::Config — it could wrongly set VERIFY_NONE, allowing man-in-the-middle attacks and stealing cluster credentials 😳
And I see this repo does use Kubeclient::Config.read.

kubeclient generally obeys SemVer, so upgrading 4.6.z to 4.9.z should be safe. OTOH if you think upgrading is tricky, let us know on that kubeclient issue, we can backport the fix!

@harshit-splunk @rockb1017 I see several of fluent-plugin-* gems depend on '~> 4.6.0', and more than one are maintained by Splunk — I'm not going to send PRs to them all, please spread the word.

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply

  • Bugfix (non-breaking change which fixes an issue) — BUT I DID NOT TEST THIS
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

Put an x in the boxes that apply.

  • I have read the CONTRIBUTING doc
  • I have read the CLA
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in downstream modules

@cben
Update dependency for Kubeclient::Config vulnerability
430e67f 
See ManageIQ/kubeclient#554, I fixed an embarrasing vulnerability in Kubeclient::Config — it could wrongly set `VERIFY_NONE`, allowing man-in-the-middle attacks and stealing cluster credentials 😳 
And I see this repo does use `Kubeclient::Config.read`.

kubeclient generally obeys SemVer, so upgrading 4.6.z to 4.9.z should be safe.  OTOH if you think upgrading is tricky, let us know on that kubeclient issue, we can backport the fix!

@harshit-splunk @rockb1017 I see several of fluent-plugin-* gems depend on '~> 4.6.0', and more than one are maintained by Splunk — I'm not going to send PRs to them all, please spread the word.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cben @hvaghani221