-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency grafana/agent to v0.43.2 #7347
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Auto-approved because label type/renovate is present.
🔍 Vulnerabilities of
|
digest | sha256:f41abd0ce39122fe5ee176ec9fb88e8e841787a70709ca272c45dbf3a2b8ab2d |
vulnerabilities | |
platform | linux/amd64 |
size | 123 MB |
packages | 612 |
stdlib
|
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
Description
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
Description
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
github.com/opencontainers/runc 1.1.14
(golang)
pkg:golang/github.com/opencontainers/runc@1.1.14
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range | <1.2.0-rc.1 |
Fixed version | 1.2.0-rc.1 |
CVSS Score | 7.2 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Description
Withdrawn Advisory
This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue here for more information.
Original Description
A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists.
github.com/aws/aws-sdk-go 1.50.27
(golang)
pkg:golang/github.com/aws/aws-sdk-go@1.50.27
Affected range | >=0 |
Fixed version | Not Fixed |
Description
The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.
Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.
Affected range | >=0 |
Fixed version | Not Fixed |
Description
The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.
Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.
github.com/go-resty/resty/v2 2.7.0
(golang)
pkg:golang/github.com/go-resty/resty/v2@2.7.0
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range | <=v2.10.0 |
Fixed version | Not Fixed |
CVSS Score | 5.9 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Description
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
github.com/grafana/loki 1.6.2-0.20240510183741-cef4c2826b4b
(golang)
pkg:golang/github.com/grafana/loki@1.6.2-0.20240510183741-cef4c2826b4b
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected range | <2.3.0 |
Fixed version | 2.3.0 |
CVSS Score | 5.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Description
An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.
github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension 0.96.0
(golang)
pkg:golang/github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension@0.96.0
Observable Timing Discrepancy
Affected range | >=0.80.0 |
Fixed version | 0.107.0 |
CVSS Score | 6.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
Description
Summary
The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens.
Details
For background on the type of vulnerability, see https://ropesec.com/articles/timing-attacks/.
Impact
This impacts anyone using the
bearertokenauth
server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline.Fix
The observable timing vulnerability was fixed by @axw in v0.107.0 (PR open-telemetry/opentelemetry-collector-contrib#34516) by using constant-time comparison.
Workarounds
- upgrade to v0.107.0 or above, or, if you're unable to upgrade at this time,
- don't expose the receiver using
bearertokenauth
to network segments accessible by potential attackers, or- change the receiver to use a different authentication extension instead, or
- disable the receiver relying on
bearertokenauth
Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/11037410811. |
PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/11037410811. |
This PR contains the following updates:
0.43.0
->0.43.2
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
grafana/agent (grafana/agent)
v0.43.2
Compare Source
Security fixes
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.