unboundsoftware/default-request-adder
6
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 28 Activity

[Security] Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.8 #13

Merged
argoyle merged 1 commits from dependabot-go_modules-gopkg.in-yaml.v2-2.2.8 into master 2023-05-09 05:39:59 +00:00
Conversation 2 Commits 1 Files Changed 2
+3 -3
argoyle commented 2023-05-08 18:37:49 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps gopkg.in/yaml.v2 from 2.2.2 to 2.2.8. This update includes security fixes.

Vulnerabilities fixed

Excessive Platform Resource Consumption within a Loop in Kubernetes The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Patched versions: 2.2.8 Affected versions: < 2.2.8

YAML Go package vulnerable to denial of service Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

Patched versions: 2.2.3 Affected versions: < 2.2.3

yaml package for Go can consume excessive amounts of CPU or memory Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory

Patched versions: 2.2.4 Affected versions: < 2.2.4


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps gopkg.in/yaml.v2 from 2.2.2 to 2.2.8. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Excessive Platform Resource Consumption within a Loop in Kubernetes</strong> The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.</p> <p>Patched versions: 2.2.8 Affected versions: &lt; 2.2.8</p> </blockquote> <blockquote> <p><strong>YAML Go package vulnerable to denial of service</strong> Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.</p> <p>Patched versions: 2.2.3 Affected versions: &lt; 2.2.3</p> </blockquote> <blockquote> <p><strong>yaml package for Go can consume excessive amounts of CPU or memory</strong> Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory</p> <p>Patched versions: 2.2.4 Affected versions: &lt; 2.2.4</p> </blockquote> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2023-05-08 18:37:51 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 1 commit

  • bd895ef7 - [Security] Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.8

Compare with previous version

added 1 commit <ul><li>bd895ef7 - [Security] Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.8</li></ul> [Compare with previous version](/unboundsoftware/default-request-adder/-/merge_requests/10/diffs?diff_id=675263917&start_sha=1fb8b883e1916074e4941f011c96ca27cfed7fa8)
argoyle commented 2023-05-09 05:33:54 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 4 commits

  • bd895ef7...8e9a06fb - 3 commits from branch master
  • 121276f6 - [Security] Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.8

Compare with previous version

added 4 commits <ul><li>bd895ef7...8e9a06fb - 3 commits from branch <code>master</code></li><li>121276f6 - [Security] Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.8</li></ul> [Compare with previous version](/unboundsoftware/default-request-adder/-/merge_requests/10/diffs?diff_id=675552459&start_sha=bd895ef7576c9b25e2809cefe8232646c5f6d698)
argoyle (Migrated from gitlab.com) scheduled this pull request to auto merge when all checks succeed 2023-05-09 05:34:23 +00:00
argoyle (Migrated from gitlab.com) merged commit into master 2023-05-09 05:39:59 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
go
security
Pull requests that address a security vulnerability
 severity:moderate
No Label dependencies go security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) peter releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unboundsoftware/default-request-adder#13
Delete Branch "dependabot-go_modules-gopkg.in-yaml.v2-2.2.8"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?