Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency grafana/agent to v0.41.1 #5211

Merged
merged 1 commit into from
Jun 8, 2024
Merged

chore(deps): update dependency grafana/agent to v0.41.1 #5211

merged 1 commit into from
Jun 8, 2024

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
grafana/agent patch 0.41.0 -> 0.41.1

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

grafana/agent (grafana/agent)

v0.41.1

Compare Source

Breaking changes
  • Applied OpenTelemetry CVE-2024-36129 fixes. (@​mattdurham)
    • Components otelcol.receiver.otlp,otelcol.receiver.zipkin and otelcol.receiver.jaeger setting max_request_body_size
      default changed from unlimited size to 20MiB.
Enhancements
  • Updated pyroscope to v0.4.6 introducing symbols_map_size and pid_map_size configuration. (@​simonswine)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

nicholasdille-bot
nicholasdille-bot approved these changes Jun 8, 2024
View reviewed changes
Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 8, 2024

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/grafana-agent:0.41.1

📦 Image Reference ghcr.io/uniget-org/tools/grafana-agent:0.41.1
digestsha256:858e73c2eb368084d01b2c19c841cd2ba3331ebc3532bc1ebe96b710152dd6a9
vulnerabilitiescritical: 0 high: 2 medium: 3 low: 1 unspecified: 4
platformlinux/amd64
size123 MB
packages611
critical: 0 high: 2 medium: 0 low: 0 github.com/opencontainers/runc 1.1.12 (golang)

pkg:golang/github.com/opencontainers/runc@1.1.12

high 7.2: GHSA--c5pj--mqfh--rvc3 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<1.2.0-rc.1
Fixed version1.2.0-rc.1
CVSS Score7.2
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Description

Withdrawn Advisory

This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue here for more information.

Original Description

A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists.

high 7.2: CVE--2024--3154 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<1.2.0-rc.1
Fixed version1.2.0-rc.1
CVSS Score7.2
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Description

On CRI-O, an arbitrary systemd property can be injected via a Pod annotation:

---
apiVersion: v1
kind: Pod
metadata:
name: poc-arbitrary-systemd-property-injection
annotations:

</blockquote>
</details>
</details></td></tr>

<tr><td valign="top">
<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>github.com/aws/aws-sdk-go</strong> <code>1.50.27</code> (golang)</summary>

<small><code>pkg:golang/github.com/aws/aws-sdk-go@1.50.27</code></small><br/>
<a href="https://scout.docker.com/v/CVE-2020-8911?s=golang&n=aws-sdk-go&ns=github.com%2Faws&t=golang&vr=%3E%3D0"><img alt="medium : CVE--2020--8911" src="https://img.shields.io/badge/CVE--2020--8911-lightgrey?label=medium%20&labelColor=fbb552"/></a> 

<table>
<tr><td>Affected range</td><td><code>>=0</code></td></tr>
<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr></table>

<details><summary>Description</summary>
<blockquote>

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.

Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2020-8912?s=golang&n=aws-sdk-go&ns=github.com%2Faws&t=golang&vr=%3E%3D0"><img alt="low : CVE--2020--8912" src="https://img.shields.io/badge/CVE--2020--8912-lightgrey?label=low%20&labelColor=fce1a9"/></a> 

<table>
<tr><td>Affected range</td><td><code>>=0</code></td></tr>
<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr></table>

<details><summary>Description</summary>
<blockquote>

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.

Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

</blockquote>
</details>
</details></td></tr>

<tr><td valign="top">
<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>github.com/grafana/loki</strong> <code>1.6.2-0.20240510183741-cef4c2826b4b</code> (golang)</summary>

<small><code>pkg:golang/github.com/grafana/loki@1.6.2-0.20240510183741-cef4c2826b4b</code></small><br/>
<a href="https://scout.docker.com/v/CVE-2021-36156?s=github&n=loki&ns=github.com%2Fgrafana&t=golang&vr=%3C2.3.0"><img alt="medium 5.3: CVE--2021--36156" src="https://img.shields.io/badge/CVE--2021--36156-lightgrey?label=medium%205.3&labelColor=fbb552"/></a> <i>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</i>

<table>
<tr><td>Affected range</td><td><code><2.3.0</code></td></tr>
<tr><td>Fixed version</td><td><code>2.3.0</code></td></tr>
<tr><td>CVSS Score</td><td><code>5.3</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

</blockquote>
</details>
</details></td></tr>

<tr><td valign="top">
<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>github.com/go-resty/resty/v2</strong> <code>2.7.0</code> (golang)</summary>

<small><code>pkg:golang/github.com/go-resty/resty/v2@2.7.0</code></small><br/>
<a href="https://scout.docker.com/v/CVE-2023-45286?s=gitlab&n=v2&ns=github.com%2Fgo-resty%2Fresty&t=golang&vr=%3C%3Dv2.10.0"><img alt="medium 5.9: CVE--2023--45286" src="https://img.shields.io/badge/CVE--2023--45286-lightgrey?label=medium%205.9&labelColor=fbb552"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>

<table>
<tr><td>Affected range</td><td><code><=v2.10.0</code></td></tr>
<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
<tr><td>CVSS Score</td><td><code>5.9</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

</blockquote>
</details>
</details></td></tr>

<tr><td valign="top">
<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <img alt="unspecified: 4" src="https://img.shields.io/badge/U-4-lightgrey"/><strong>stdlib</strong> <code>1.22.1</code> (golang)</summary>

<small><code>pkg:golang/stdlib@1.22.1</code></small><br/>
<a href="https://scout.docker.com/v/CVE-2024-24790?s=golang&n=stdlib&t=golang&vr=%3E%3D1.22.0-0%2C%3C1.22.4"><img alt="unspecified : CVE--2024--24790" src="https://img.shields.io/badge/CVE--2024--24790-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> 

<table>
<tr><td>Affected range</td><td><code>>=1.22.0-0<br/><1.22.4</code></td></tr>
<tr><td>Fixed version</td><td><code>1.22.4</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2024-24789?s=golang&n=stdlib&t=golang&vr=%3E%3D1.22.0-0%2C%3C1.22.4"><img alt="unspecified : CVE--2024--24789" src="https://img.shields.io/badge/CVE--2024--24789-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> 

<table>
<tr><td>Affected range</td><td><code>>=1.22.0-0<br/><1.22.4</code></td></tr>
<tr><td>Fixed version</td><td><code>1.22.4</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2024-24788?s=golang&n=stdlib&t=golang&vr=%3E%3D1.22.0-0%2C%3C1.22.3"><img alt="unspecified : CVE--2024--24788" src="https://img.shields.io/badge/CVE--2024--24788-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> 

<table>
<tr><td>Affected range</td><td><code>>=1.22.0-0<br/><1.22.3</code></td></tr>
<tr><td>Fixed version</td><td><code>1.22.3</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2023-45288?s=golang&n=stdlib&t=golang&vr=%3E%3D1.22.0-0%2C%3C1.22.2"><img alt="unspecified : CVE--2023--45288" src="https://img.shields.io/badge/CVE--2023--45288-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> 

<table>
<tr><td>Affected range</td><td><code>>=1.22.0-0<br/><1.22.2</code></td></tr>
<tr><td>Fixed version</td><td><code>1.22.2</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.

Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.

This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

The fix sets a limit on the amount of excess header frames we will process before closing a connection.

</blockquote>
</details>
</details></td></tr>
</table>

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 8, 2024

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9425192526.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 8, 2024

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9425192526.

@github-actions github-actions bot merged commit fe11ffc into main Jun 8, 2024
9 checks passed
@github-actions github-actions bot deleted the renovate/grafana-agent-0.41.x branch June 8, 2024 01:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasdille-bot nicholasdille-bot nicholasdille-bot approved these changes

Assignees
No one assigned
Labels
bump/patch type/renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@uniget-bot @nicholasdille-bot @renovate-bot