Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency cri-o/cri-o to v1.31.2 #8113

Merged
merged 1 commit into from
Nov 4, 2024
Merged

chore(deps): update dependency cri-o/cri-o to v1.31.2 #8113

merged 1 commit into from
Nov 4, 2024

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
cri-o/cri-o patch 1.31.1 -> 1.31.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

cri-o/cri-o (cri-o/cri-o)

v1.31.2

Compare Source

CRI-O v1.31.2

The release notes have been generated for the commit range
v1.31.1...v1.31.2 on Sat, 02 Nov 2024 00:21:02 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.2.tar.gz \
    --certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.2 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/cri-o \
    --certificate-github-workflow-ref refs/tags/v1.31.2 \
    --signature cri-o.amd64.v1.31.2.tar.gz.sig \
    --certificate cri-o.amd64.v1.31.2.tar.gz.cert

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.31.2.tar.gz
> bom validate -e cri-o.amd64.v1.31.2.tar.gz.spdx -d cri-o

Changelog since v1.31.1

Changes by Kind
Uncategorized

Dependencies

Added

Nothing has changed.

Changed
Removed

Nothing has changed.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

nicholasdille-bot
nicholasdille-bot approved these changes Nov 2, 2024
View reviewed changes
Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 4, 2024

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/cri-o:1.31.2

📦 Image Reference ghcr.io/uniget-org/tools/cri-o:1.31.2
digestsha256:da90dc1c876eaf1a3407050168fc0ef334dc8818c701a218e0343389ca88bd40
vulnerabilitiescritical: 0 high: 4 medium: 2 low: 0 unspecified: 1
platformlinux/amd64
size19 MB
packages192
critical: 0 high: 3 medium: 0 low: 0 unspecified: 1stdlib 1.22.5 (golang)

pkg:golang/stdlib@1.22.5

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

unspecified : CVE--2024--34155

Affected range<1.22.7
Fixed version1.22.7
Description

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

critical: 0 high: 1 medium: 0 low: 0 github.com/opencontainers/runc 1.1.14 (golang)

pkg:golang/github.com/opencontainers/runc@1.1.14

high 7.2: GHSA--c5pj--mqfh--rvc3 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<1.2.0-rc.1
Fixed version1.2.0-rc.1
CVSS Score7.2
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Description

Withdrawn Advisory

This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue here for more information.

Original Description

A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists.

critical: 0 high: 0 medium: 1 low: 0 k8s.io/apiserver 0.31.0 (golang)

pkg:golang/k8s.io/apiserver@0.31.0

medium 4.3: CVE--2020--8552 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<1.15.10
Fixed version1.15.10, 1.16.7, 1.17.3
CVSS Score4.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Description

The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

critical: 0 high: 0 medium: 1 low: 0 github.com/containers/common 0.60.3-0.20241001153533-18930ed8933b (golang)

pkg:golang/github.com/containers/common@0.60.3-0.20241001153533-18930ed8933b

medium 5.4: CVE--2024--9341 Improper Link Resolution Before File Access ('Link Following')

Affected range<0.60.4
Fixed version0.60.4
CVSS Score5.4
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Description

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 4, 2024

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/11660465186.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 4, 2024

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/11660465186.

@github-actions github-actions bot merged commit 3648797 into main Nov 4, 2024
14 of 15 checks passed
@github-actions github-actions bot deleted the renovate/cri-o-cri-o-1.31.x branch November 4, 2024 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasdille-bot nicholasdille-bot nicholasdille-bot approved these changes

Assignees
No one assigned
Labels
bump/patch type/renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@uniget-bot @nicholasdille-bot @renovate-bot