mirror of
https://github.com/truecharts/charts.git
synced 2026-07-09 15:31:21 -03:00
fix(deps): update module filippo.io/age v1.2.0 → v1.2.1 [security] (#29835)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [filippo.io/age](https://redirect.github.com/FiloSottile/age) | require | patch | `v1.2.0` -> `v1.2.1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [GHSA-32gq-x56h-299c](https://redirect.github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c) A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the [`plugin.NewIdentity`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentity), [`plugin.NewIdentityWithoutData`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentityWithoutData), or [`plugin.NewRecipient`](https://pkg.go.dev/filippo.io/age/plugin#NewRecipient) APIs. On UNIX systems, a directory matching `${TMPDIR:-/tmp}/age-plugin-*` needs to exist for the attack to succeed. The binary is executed with a single flag, either `--age-plugin=recipient-v1` or `--age-plugin=identity-v1`. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol. An equivalent issue was fixed by the [rage](https://redirect.github.com/str4d/rage) project, see advisory [GHSA-4fg7-vxc8-qx5w](https://redirect.github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w). Thanks to ⬡-49016 for reporting this. --- ### Release Notes <details> <summary>FiloSottile/age (filippo.io/age)</summary> ### [`v1.2.1`](https://redirect.github.com/FiloSottile/age/releases/tag/v1.2.1): age v1.2.1: security fix [Compare Source](https://redirect.github.com/FiloSottile/age/compare/v1.2.0...v1.2.1) This release fixes a security vulnerability that could allow an attacker to execute an arbitrary binary under certain conditions. See GHSA-32gq-x56h-299c. Plugin names may now only contain alphanumeric characters or the four special characters `+-._`. Thanks to ⬡-49016 for reporting this issue. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44Mi45IiwidXBkYXRlZEluVmVyIjoiMzkuODIuOSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJhdXRvbWVyZ2UiLCJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL3BhdGNoIl19-->
This commit is contained in:
@@ -3,7 +3,7 @@ module github.com/truecharts/public/clustertool
|
||||
go 1.23.2
|
||||
|
||||
require (
|
||||
filippo.io/age v1.2.0
|
||||
filippo.io/age v1.2.1
|
||||
github.com/Masterminds/semver/v3 v3.3.1
|
||||
github.com/beevik/ntp v1.4.3
|
||||
github.com/budimanjojo/talhelper/v3 v3.0.10
|
||||
|
||||
@@ -21,6 +21,8 @@ dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
|
||||
dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
|
||||
filippo.io/age v1.2.0 h1:vRDp7pUMaAJzXNIWJVAZnEf/Dyi4Vu4wI8S1LBzufhE=
|
||||
filippo.io/age v1.2.0/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
|
||||
filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
|
||||
filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
|
||||
filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
|
||||
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
|
||||
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
|
||||
|
||||
Reference in New Issue
Block a user