8000
chore(deps): update dependency argoproj/argo-cd to v3.0.3 by uniget-bot · Pull Request #12435 · uniget-org/tools · GitHub
More Web Proxy on the site http://driver.im/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Release Notes Blog Post
For a detailed breakdown of the key changes and improvements in this release, check out the official blog post
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
github.com/expr-lang/expr1.16.9 (golang)
pkg:golang/github.com/expr-lang/expr@1.16.9
Allocation of Resources Without Limits or Throttling
Affected range
<1.17.0
Fixed version
1.17.0
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Impact
If the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur.
Patches
The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition.
Workarounds
For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, you can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.
A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
Affected range
>=0
Fixed version
Not Fixed
Description
A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.
The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.
Patches
A patch for this vulnerability is available in the following Argo CD versions:
A security vulnerability was discovered in Kubernetes that could allow a user with create pod permission to exploit gitRepo volumes to access local git repositories belonging to other pods on the same node. This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.
k8s.io/apiserver0.32.2 (golang)
pkg:golang/k8s.io/apiserver@0.32.2
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<1.15.10
Fixed version
1.15.10, 1.16.7, 1.17.3
CVSS Score
4.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Description
The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.
github.com/redis/go-redis/v99.7.1 (golang)
pkg:golang/github.com/redis/go-redis/v9@9.7.1
Improper Input Validation
Affected range
>=9.7.0-beta.1 <9.7.3
Fixed version
9.7.3
CVSS Score
3.7
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Description
Impact
The issue only occurs when the CLIENT SETINFO command times out during connection establishment. The following circumstances can cause such a timeout:
The client is configured to transmit its identity. This can be disabled via the DisableIndentity flag.
There are network connectivity issues
The client was configured with aggressive timeouts
The impact differs by use case:
Sticky connections: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection.
Pipelines: All commands in the pipeline receive incorrect responses.
Default connection pool usage without pipelining: When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded.
Patches
We prepared a fix in redis/go-redis#3295 and plan to release patch versions soon.
Workarounds
You can prevent the vulnerability by setting the flag DisableIndentity (BTW: We also need to fix the spelling.) to true when constructing the client instance.
Credit
Akhass Wasti
Ramin Ghorashi
Anton Amlinger
Syed Rahman
Mahesh Venkateswaran
Sergey Zavoloka
Aditya Adarwal
Abdulla Anam
Abd-Alhameed
Alex Vanlint
Gaurav Choudhary
Vedanta Jha
Yll Kelani
Ryan Picard
Add this suggestio
312A
n to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.0.2->3.0.3Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
argoproj/argo-cd (argoproj/argo-cd)
v3.0.3Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Release Notes Blog Post
For a detailed breakdown of the key changes and improvements in this release, check out the official blog post
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
af3d926: fix: Account for batch event processing in e2e tests (cherry-pick #22356) (#23070) (@gcp-cherry-pick-bot[bot])ddd6df5: fix: infinite reconciliation loop when app is in error (#23067) (@agaudreault)927ed35: fix: remove defaultspec.preserveUnknownFieldsignoreDifference for CRD (cherry-pick #22948) (#23044) (@gcp-cherry-pick-bot[bot])Documentation
b1cafa9: docs: fix jsonpath in 2.14-3.0 upgrade doc (cherry-pick #23045) (#23046) (@gcp-cherry-pick-bot[bot])Other work
866db14: chore: bump gitops-engine ssd fix (#23071) (@pjiang-dev)Full Changelog: argoproj/argo-cd@v3.0.2...v3.0.3
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.