Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency grafana/agent to v0.43.2 #7347

Merged
merged 1 commit into from
Sep 25, 2024

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
grafana/agent patch 0.43.0 -> 0.43.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

grafana/agent (grafana/agent)

v0.43.2

Compare Source

Security fixes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

Copy link

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/grafana-agent:0.43.2

📦 Image Reference ghcr.io/uniget-org/tools/grafana-agent:0.43.2
digestsha256:f41abd0ce39122fe5ee176ec9fb88e8e841787a70709ca272c45dbf3a2b8ab2d
vulnerabilitiescritical: 0 high: 4 medium: 4 low: 1 unspecified: 1
platformlinux/amd64
size123 MB
packages612
critical: 0 high: 3 medium: 0 low: 0 unspecified: 1stdlib 1.22.5 (golang)

pkg:golang/stdlib@1.22.5

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

unspecified : CVE--2024--34155

Affected range<1.22.7
Fixed version1.22.7
Description

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

critical: 0 high: 1 medium: 0 low: 0 github.com/opencontainers/runc 1.1.14 (golang)

pkg:golang/github.com/opencontainers/runc@1.1.14

high 7.2: GHSA--c5pj--mqfh--rvc3 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<1.2.0-rc.1
Fixed version1.2.0-rc.1
CVSS Score7.2
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Description

Withdrawn Advisory

This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue here for more information.

Original Description

A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists.

critical: 0 high: 0 medium: 1 low: 1 github.com/aws/aws-sdk-go 1.50.27 (golang)

pkg:golang/github.com/aws/aws-sdk-go@1.50.27

medium : CVE--2020--8911

Affected range>=0
Fixed versionNot Fixed
Description

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.

Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

low : CVE--2020--8912

Affected range>=0
Fixed versionNot Fixed
Description

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.

Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

critical: 0 high: 0 medium: 1 low: 0 github.com/go-resty/resty/v2 2.7.0 (golang)

pkg:golang/github.com/go-resty/resty/v2@2.7.0

medium 5.9: CVE--2023--45286 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=v2.10.0
Fixed versionNot Fixed
CVSS Score5.9
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Description

A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

critical: 0 high: 0 medium: 1 low: 0 github.com/grafana/loki 1.6.2-0.20240510183741-cef4c2826b4b (golang)

pkg:golang/github.com/grafana/loki@1.6.2-0.20240510183741-cef4c2826b4b

medium 5.3: CVE--2021--36156 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range<2.3.0
Fixed version2.3.0
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

critical: 0 high: 0 medium: 1 low: 0 github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension 0.96.0 (golang)

pkg:golang/github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension@0.96.0

medium 6.5: CVE--2024--42368 Observable Timing Discrepancy

Affected range>=0.80.0
<0.107.0
Fixed version0.107.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Description

Summary

The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens.

Details

https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/9128a9258fe1fee36f198f97b1e3371fc7b77a93/extension/bearertokenauthextension/bearertokenauth.go#L189-L196

For background on the type of vulnerability, see https://ropesec.com/articles/timing-attacks/.

Impact

This impacts anyone using the bearertokenauth server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline.

Fix

The observable timing vulnerability was fixed by @axw in v0.107.0 (PR open-telemetry/opentelemetry-collector-contrib#34516) by using constant-time comparison.

Workarounds

  • upgrade to v0.107.0 or above, or, if you're unable to upgrade at this time,
  • don't expose the receiver using bearertokenauth to network segments accessible by potential attackers, or
  • change the receiver to use a different authentication extension instead, or
  • disable the receiver relying on bearertokenauth

Copy link

Copy link

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/11037410811.

@github-actions github-actions bot merged commit 3b2c3e3 into main Sep 25, 2024
9 checks passed
@github-actions github-actions bot deleted the renovate/grafana-agent-0.43.x branch September 25, 2024 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants