New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency getporter/porter to v1.0.17 #3851
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Auto-approved because label type/renovate is present.
🔍 Vulnerabilities of
|
digest | sha256:8dca35eee3847b4353a7b873eac286ef9fbba53d69cb6e273159e2ddc0494a95 |
vulnerabilities | |
platform | linux/amd64 |
size | 20 MB |
packages | 206 |
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
|
Affected range | <0.46.0 |
Fixed version | 0.46.0 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Description
Summary
The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
// UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable // for use in a grpc.NewServer call. func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
out of the box adds labels
net.peer.sock.addr
net.peer.sock.port
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent.
Details
An attacker can easily flood the peer address and port for requests.
PoC
Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc.
Others
It is similar to already reported vulnerabilities.
- GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib)
- GHSA-cg3q-j54f-5p7p (prometheus/client_golang)
Workaround for affected versions
As a workaround to stop being affected, a view removing the attributes can be used.
The other possibility is to disable grpc metrics instrumentation by passing
otelgrpc.WithMeterProvider
option withnoop.NewMeterProvider
.Solution provided by upgrading
In PR #4322, to be released with v0.46.0, the attributes were removed.
References
stdlib 1.21.3
(golang)
Affected range | >=1.21.0-0 |
Fixed version | 1.21.4 |
Description
On Windows, The IsLocal function does not correctly detect reserved device names in some cases.
Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local.
With fix, IsLocal now correctly reports these names as non-local.
Affected range | >=1.21.0-0 |
Fixed version | 1.21.5 |
Description
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.
A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.
Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
github.com/docker/docker 24.0.5-0.20230714235725-36e9e796c6fc+incompatible
(golang)
pkg:golang/github.com/docker/docker@24.0.5-0.20230714235725-36e9e796c6fc+incompatible
Insufficient Verification of Data Authenticity
Affected range | <24.0.9 |
Fixed version | 24.0.9 |
CVSS Score | 6.9 |
CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L |
Description
The classic builder cache system is prone to cache poisoning if the image is built
FROM scratch
.
Also, changes to some instructions (most important beingHEALTHCHECK
andONBUILD
) would not cause a cache miss.An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
For example, an attacker could create an image that is considered as a valid cache candidate for:
FROM scratch MAINTAINER Pawel
when in fact the malicious image used as a cache would be an image built from a different Dockerfile.
In the second case, the attacker could for example substitute a different
HEALTCHECK
command.Impact
23.0+ users are only affected if they explicitly opted out of Buildkit (
DOCKER_BUILDKIT=0
environment variable) or are using the/build
API endpoint (which uses the classic builder by default).All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.
Image build API endpoint (
/build
) andImageBuild
function fromgithub.com/docker/docker/client
is also affected as it the uses classic builder by default.Patches
Patches are included in Moby releases:
- v25.0.2
- v24.0.9
Workarounds
- Use
--no-cache
or use Buildkit if possible (DOCKER_BUILDKIT=1
, it's default on 23.0+ assuming that the buildx plugin is installed).- Use
Version = types.BuilderBuildKit
orNoCache = true
inImageBuildOptions
forImageBuild
call.
google.golang.org/protobuf 1.31.0
(golang)
pkg:golang/google.golang.org/protobuf@1.31.0
Loop with Unreachable Exit Condition ('Infinite Loop')
Affected range | <1.33.0 |
Fixed version | 1.33.0 |
Description
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/8445243002. |
PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/8445243002. |
This PR contains the following updates:
1.0.16
->1.0.17
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
getporter/porter (getporter/porter)
v1.0.17
Compare Source
What's Changed
New Contributors
Full Changelog: getporter/porter@v1.0.16...v1.0.17
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.