unboundsoftware/default-request-adder
6
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 28 Activity

[Security] Bump k8s.io/client-go from 0.15.7 to 0.20.0 #16

Merged
argoyle merged 1 commits from dependabot-go_modules-k8s.io-client-go-0.20.0 into master 2023-05-10 06:16:04 +00:00
Conversation 1 Commits 1 Files Changed 3
+370 -69
argoyle commented 2023-05-09 15:13:35 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps k8s.io/client-go from 0.15.7 to 0.20.0. This update includes security fixes.

Vulnerabilities fixed

Sensitive Information leak via Log File in Kubernetes In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.

Patched versions: 0.20.0-alpha.2 Affected versions: < 0.20.0-alpha.2

Kubernetes client-go library logs may disclose credentials to unauthorized users The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.

Patched versions: 0.17.0 Affected versions: < 0.17.0

Commits
  • afa3b34 Update dependencies to v0.20.0 tag
  • fb61a7c Merge pull request #96720 from liggitt/throttled-logger
  • 61471be Deflake ThrottledLogger test
  • 66db254 Merge pull request #95981 from caesarxuchao/http2-healthcheck
  • 7c9ea22 Merge pull request #92743 from liggitt/gc
  • 8dde295 Add a unit test testing the HTTP/2 health check help the REST client
  • c476b49 Add GC unit tests
  • 77eda6a Merge pull request #96317 from Jefftree/test-ssa
  • 76f4826 Merge pull request #96527 from adtac/apfbeta
  • 4ab8fb4 Merge pull request #96425 from bobbypage/vendor-cadvisor-v0.38
  • Additional commits viewable in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.15.7 to 0.20.0. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Sensitive Information leak via Log File in Kubernetes</strong> In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects &lt;= v1.19.3, &lt;= v1.18.10, &lt;= v1.17.13, &lt; v1.20.0-alpha2.</p> <p>Patched versions: 0.20.0-alpha.2 Affected versions: &lt; 0.20.0-alpha.2</p> </blockquote> <blockquote> <p><strong>Kubernetes client-go library logs may disclose credentials to unauthorized users</strong> The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.</p> <p>Patched versions: 0.17.0 Affected versions: &lt; 0.17.0</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/kubernetes/client-go/commit/afa3b34fe368bbf3532c612f1d5abc45d0783c08"><code>afa3b34</code></a> Update dependencies to v0.20.0 tag</li> <li><a href="https://github.com/kubernetes/client-go/commit/fb61a7c88cb9f599363919a34b7c54a605455ffc"><code>fb61a7c</code></a> Merge pull request <a href="https://github.com/kubernetes/client-go/issues/96720">#96720</a> from liggitt/throttled-logger</li> <li><a href="https://github.com/kubernetes/client-go/commit/61471be615ffce3012bfe4e92d1ba70236960d90"><code>61471be</code></a> Deflake ThrottledLogger test</li> <li><a href="https://github.com/kubernetes/client-go/commit/66db2540991da169fb60fce735064a55bfc52b71"><code>66db254</code></a> Merge pull request <a href="https://github.com/kubernetes/client-go/issues/95981">#95981</a> from caesarxuchao/http2-healthcheck</li> <li><a href="https://github.com/kubernetes/client-go/commit/7c9ea22f769b83d7573af95555d7ff1423429003"><code>7c9ea22</code></a> Merge pull request <a href="https://github.com/kubernetes/client-go/issues/92743">#92743</a> from liggitt/gc</li> <li><a href="https://github.com/kubernetes/client-go/commit/8dde295de4630e0b70c931e6386cce6bb0b5f579"><code>8dde295</code></a> Add a unit test testing the HTTP/2 health check help the REST client</li> <li><a href="https://github.com/kubernetes/client-go/commit/c476b49dcfc420f1f2822f40ad82ef925f3f35cd"><code>c476b49</code></a> Add GC unit tests</li> <li><a href="https://github.com/kubernetes/client-go/commit/77eda6a9395bd7884e99d484f29ae3c6d55f0eb9"><code>77eda6a</code></a> Merge pull request <a href="https://github.com/kubernetes/client-go/issues/96317">#96317</a> from Jefftree/test-ssa</li> <li><a href="https://github.com/kubernetes/client-go/commit/76f48268c78c15fd661e8acc832daee49b40eed6"><code>76f4826</code></a> Merge pull request <a href="https://github.com/kubernetes/client-go/issues/96527">#96527</a> from adtac/apfbeta</li> <li><a href="https://github.com/kubernetes/client-go/commit/4ab8fb4585a5873ae1c155d7f35c9710bd38f2d2"><code>4ab8fb4</code></a> Merge pull request <a href="https://github.com/kubernetes/client-go/issues/96425">#96425</a> from bobbypage/vendor-cadvisor-v0.38</li> <li>Additional commits viewable in <a href="https://github.com/kubernetes/client-go/compare/v0.15.7...v0.20.0">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2023-05-10 06:05:20 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 1 commit

  • 493da1d3 - [Security] Bump k8s.io/client-go from 0.15.7 to 0.20.0

Compare with previous version

added 1 commit <ul><li>493da1d3 - [Security] Bump k8s.io/client-go from 0.15.7 to 0.20.0</li></ul> [Compare with previous version](/unboundsoftware/default-request-adder/-/merge_requests/13/diffs?diff_id=676728552&start_sha=a7e5099257924d885c1a7a3a98f499f9c75cb651)
argoyle (Migrated from gitlab.com) merged commit into master 2023-05-10 06:16:04 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
go
security
Pull requests that address a security vulnerability
 severity:moderate
No Label dependencies go security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) peter releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unboundsoftware/default-request-adder#16
Delete Branch "dependabot-go_modules-k8s.io-client-go-0.20.0"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?