fix(deps): update rust crate object_store to 0.10.2 [security] - autoclosed #131
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
f289796 to
22919f1
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
22919f1 to
f190d9c
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
f190d9c to
f09186f
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
f09186f to
017586d
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
017586d to
dc34e9d
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
dc34e9d to
e65fa6c
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
e65fa6c to
85a026e
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
85a026e to
55bdfee
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
55bdfee to
18eead4
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
18eead4 to
cf10d31
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
cf10d31 to
a50aa1d
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
a50aa1d to
e99b074
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
e99b074 to
f6ae71f
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
f6ae71f to
e1363c2
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
e1363c2 to
1e466e8
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
1e466e8 to
87a3d03
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
87a3d03 to
73b7433
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-object_store-vulnerability
branch
from
73b7433 to
5170b45
Compare
renovate
bot
changed the title
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.9->0.10.2GitHub Vulnerability Alerts
CVE-2024-41178
Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (
object_storecrate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens.On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html . This allows someone with access to the logs to impersonate that identity, including performing their own calls to AssumeRoleWithWebIdentity, until the OIDC token expires. Typically OIDC tokens are valid for up to an hour, although this will vary depending on the issuer.
Users are recommended to use a different AWS authentication mechanism, disable logging or upgrade to version 0.10.2, which fixes this issue.
Details:
When using AWS WebIdentityTokens with the object_store crate, in the event of a failure and automatic retry, the underlying reqwest error, including the full URL with the credentials, potentially in the parameters, is written to the logs.
Thanks to Paul Hatcherian for reporting this vulnerability
Release Notes
apache/arrow-rs (object_store)
v0.10.2Compare Source
v0.10.1Compare Source
v0.10.0Compare Source
v0.9.1Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.