unboundsoftware/default-request-adder
6
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 28 Activity

[Security] Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.8 #15

Closed
argoyle wants to merge 0 commits from dependabot-go_modules-gopkg.in-yaml.v2-2.2.8 into master
pull from: dependabot-go_modules-gopkg.in-yaml.v2-2.2.8
merge into: unboundsoftware:master
Conversation 2 Commits - Files Changed -
argoyle commented 2023-05-09 05:40:21 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps gopkg.in/yaml.v2 from 2.2.2 to 2.2.8. This update includes security fixes.

Vulnerabilities fixed

Excessive Platform Resource Consumption within a Loop in Kubernetes The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Patched versions: 2.2.8 Affected versions: < 2.2.8

YAML Go package vulnerable to denial of service Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

Patched versions: 2.2.3 Affected versions: < 2.2.3

yaml package for Go can consume excessive amounts of CPU or memory Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory

Patched versions: 2.2.4 Affected versions: < 2.2.4


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps gopkg.in/yaml.v2 from 2.2.2 to 2.2.8. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Excessive Platform Resource Consumption within a Loop in Kubernetes</strong> The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.</p> <p>Patched versions: 2.2.8 Affected versions: &lt; 2.2.8</p> </blockquote> <blockquote> <p><strong>YAML Go package vulnerable to denial of service</strong> Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.</p> <p>Patched versions: 2.2.3 Affected versions: &lt; 2.2.3</p> </blockquote> <blockquote> <p><strong>yaml package for Go can consume excessive amounts of CPU or memory</strong> Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory</p> <p>Patched versions: 2.2.4 Affected versions: &lt; 2.2.4</p> </blockquote> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2023-05-09 05:45:59 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 1 commit

Compare with previous version

added 1 commit <ul><li>121276f6 - 1 commit from branch <code>master</code></li></ul> [Compare with previous version](/unboundsoftware/default-request-adder/-/merge_requests/12/diffs?diff_id=675558194&start_sha=a43a5eb2b5aca4617ee62ddb6718baa866ce1f9d)
argoyle (Migrated from gitlab.com) closed this pull request 2023-05-09 05:46:03 +00:00
argoyle commented 2023-05-09 05:46:05 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Dependabot won't notify anymore about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

Dependabot won't notify anymore about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an [`ignore` condition](https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#ignore) with the desired `update_types` to your config file.

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
go
security
Pull requests that address a security vulnerability
 severity:moderate
No Label dependencies go security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) peter releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unboundsoftware/default-request-adder#15
Delete Branch "dependabot-go_modules-gopkg.in-yaml.v2-2.2.8"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?