fix(deps): update module github.com/crossplane/crossplane-runtime to v0.19.2 [security] - autoclosed #70
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
…v0.19.2 [security] Signed-off-by: Renovate Bot <bot@renovateapp.com>
renovate
bot
changed the title
renovate
bot
deleted the
renovate/go-git.luolix.top/crossplane/crossplane-runtime-vulnerability
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.18.0->v0.19.2GitHub Vulnerability Alerts
CVE-2023-27483
Summary
Fuzz testing on
crossplane/crossplane, by Ada Logics and sponsored by the CNCF, identified input to a function in thefieldpathpackage that can cause an out of memory panic. Applications that use thePavedtype'sSetValuemethod with user provided input without proper validation might use excessive amounts of memory and cause an out of memory panic.Details
In the
fieldpathpackage, theSetValuemethod of thePavedtype sets a value on the inner object according to the provided path, without validating it first. This allows setting values in slices at any specific index and the code will grow the target array up to the required size. The index is currently capped at max uint32 (4294967295) given how indexes are parsed, but that is still an unnecessarily large value.Workaround
Users can parse and validate the path before passing it to the
SetValuemethod of thePavedtype, constraining the index size as deemed appropriate.Credits
Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.
Release Notes
crossplane/crossplane-runtime (github.com/crossplane/crossplane-runtime)
v0.19.2Compare Source
Security
Addresses a vulnerability in the
fieldpathpackage.What's Changed
Full Changelog: crossplane/crossplane-runtime@v0.19.1...v0.19.2
v0.19.1Compare Source
v0.19.0Compare Source
What's Changed
New Contributors
Full Changelog: crossplane/crossplane-runtime@v0.18.0...v0.19.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.