From 8a610ba0bf161df5f5ecb9403af59b5a090c6b63 Mon Sep 17 00:00:00 2001 From: TrueCharts Bot Date: Fri, 27 Dec 2024 02:40:03 +0100 Subject: [PATCH] =?UTF-8?q?fix(deps):=20update=20module=20filippo.io/age?= =?UTF-8?q?=20v1.2.0=20=E2=86=92=20v1.2.1=20[security]=20(#29835)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [filippo.io/age](https://redirect.github.com/FiloSottile/age) | require | patch | `v1.2.0` -> `v1.2.1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [GHSA-32gq-x56h-299c](https://redirect.github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c) A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the [`plugin.NewIdentity`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentity), [`plugin.NewIdentityWithoutData`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentityWithoutData), or [`plugin.NewRecipient`](https://pkg.go.dev/filippo.io/age/plugin#NewRecipient) APIs. On UNIX systems, a directory matching `${TMPDIR:-/tmp}/age-plugin-*` needs to exist for the attack to succeed. The binary is executed with a single flag, either `--age-plugin=recipient-v1` or `--age-plugin=identity-v1`. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol. An equivalent issue was fixed by the [rage](https://redirect.github.com/str4d/rage) project, see advisory [GHSA-4fg7-vxc8-qx5w](https://redirect.github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w). Thanks to ⬡-49016 for reporting this. --- ### Release Notes
FiloSottile/age (filippo.io/age) ### [`v1.2.1`](https://redirect.github.com/FiloSottile/age/releases/tag/v1.2.1): age v1.2.1: security fix [Compare Source](https://redirect.github.com/FiloSottile/age/compare/v1.2.0...v1.2.1) This release fixes a security vulnerability that could allow an attacker to execute an arbitrary binary under certain conditions. See GHSA-32gq-x56h-299c. Plugin names may now only contain alphanumeric characters or the four special characters `+-._`. Thanks to ⬡-49016 for reporting this issue.
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). --- clustertool/go.mod | 2 +- clustertool/go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/clustertool/go.mod b/clustertool/go.mod index 4b2fc4170d6..d0cfb51b2c8 100644 --- a/clustertool/go.mod +++ b/clustertool/go.mod @@ -3,7 +3,7 @@ module github.com/truecharts/public/clustertool go 1.23.2 require ( - filippo.io/age v1.2.0 + filippo.io/age v1.2.1 github.com/Masterminds/semver/v3 v3.3.1 github.com/beevik/ntp v1.4.3 github.com/budimanjojo/talhelper/v3 v3.0.10 diff --git a/clustertool/go.sum b/clustertool/go.sum index 0124ea26200..df6bc2d8f38 100644 --- a/clustertool/go.sum +++ b/clustertool/go.sum @@ -21,6 +21,8 @@ dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= filippo.io/age v1.2.0 h1:vRDp7pUMaAJzXNIWJVAZnEf/Dyi4Vu4wI8S1LBzufhE= filippo.io/age v1.2.0/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004= +filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o= +filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=