fix(deps): update module filippo.io/age v1.2.0 → v1.2.1 [security] (#29835)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [filippo.io/age](https://redirect.github.com/FiloSottile/age) |
require | patch | `v1.2.0` -> `v1.2.1` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[GHSA-32gq-x56h-299c](https://redirect.github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c)

A plugin name containing a path separator may allow an attacker to
execute an arbitrary binary.

Such a plugin name can be provided to the age CLI through an
attacker-controlled recipient or identity string, or to the
[`plugin.NewIdentity`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentity),
[`plugin.NewIdentityWithoutData`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentityWithoutData),
or
[`plugin.NewRecipient`](https://pkg.go.dev/filippo.io/age/plugin#NewRecipient)
APIs.

On UNIX systems, a directory matching `${TMPDIR:-/tmp}/age-plugin-*`
needs to exist for the attack to succeed.

The binary is executed with a single flag, either
`--age-plugin=recipient-v1` or `--age-plugin=identity-v1`. The standard
input includes the recipient or identity string, and the random file key
(if encrypting) or the header of the file (if decrypting). The format is
constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol.

An equivalent issue was fixed by the
[rage](https://redirect.github.com/str4d/rage) project, see advisory
[GHSA-4fg7-vxc8-qx5w](https://redirect.github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w).

Thanks to ⬡-49016 for reporting this.

---

### Release Notes

<details>
<summary>FiloSottile/age (filippo.io/age)</summary>

###
[`v1.2.1`](https://redirect.github.com/FiloSottile/age/releases/tag/v1.2.1):
age v1.2.1: security fix

[Compare
Source](https://redirect.github.com/FiloSottile/age/compare/v1.2.0...v1.2.1)

This release fixes a security vulnerability that could allow an attacker
to execute an arbitrary binary under certain conditions.

See GHSA-32gq-x56h-299c.

Plugin names may now only contain alphanumeric characters or the four
special characters `+-._`.

Thanks to ⬡-49016 for reporting this issue.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44Mi45IiwidXBkYXRlZEluVmVyIjoiMzkuODIuOSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJhdXRvbWVyZ2UiLCJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL3BhdGNoIl19-->
This commit is contained in:
TrueCharts Bot
2024-12-27 02:40:03 +01:00
committed by GitHub
parent fafb393088
commit 8a610ba0bf
2 changed files with 3 additions and 1 deletions

View File

@@ -3,7 +3,7 @@ module github.com/truecharts/public/clustertool
go 1.23.2
require (
filippo.io/age v1.2.0
filippo.io/age v1.2.1
github.com/Masterminds/semver/v3 v3.3.1
github.com/beevik/ntp v1.4.3
github.com/budimanjojo/talhelper/v3 v3.0.10

View File

@@ -21,6 +21,8 @@ dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
filippo.io/age v1.2.0 h1:vRDp7pUMaAJzXNIWJVAZnEf/Dyi4Vu4wI8S1LBzufhE=
filippo.io/age v1.2.0/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=