Files
charts/clustertool
TrueCharts Bot 8a610ba0bf fix(deps): update module filippo.io/age v1.2.0 → v1.2.1 [security] (#29835)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [filippo.io/age](https://redirect.github.com/FiloSottile/age) |
require | patch | `v1.2.0` -> `v1.2.1` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[GHSA-32gq-x56h-299c](https://redirect.github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c)

A plugin name containing a path separator may allow an attacker to
execute an arbitrary binary.

Such a plugin name can be provided to the age CLI through an
attacker-controlled recipient or identity string, or to the
[`plugin.NewIdentity`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentity),
[`plugin.NewIdentityWithoutData`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentityWithoutData),
or
[`plugin.NewRecipient`](https://pkg.go.dev/filippo.io/age/plugin#NewRecipient)
APIs.

On UNIX systems, a directory matching `${TMPDIR:-/tmp}/age-plugin-*`
needs to exist for the attack to succeed.

The binary is executed with a single flag, either
`--age-plugin=recipient-v1` or `--age-plugin=identity-v1`. The standard
input includes the recipient or identity string, and the random file key
(if encrypting) or the header of the file (if decrypting). The format is
constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol.

An equivalent issue was fixed by the
[rage](https://redirect.github.com/str4d/rage) project, see advisory
[GHSA-4fg7-vxc8-qx5w](https://redirect.github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w).

Thanks to ⬡-49016 for reporting this.

---

### Release Notes

<details>
<summary>FiloSottile/age (filippo.io/age)</summary>

###
[`v1.2.1`](https://redirect.github.com/FiloSottile/age/releases/tag/v1.2.1):
age v1.2.1: security fix

[Compare
Source](https://redirect.github.com/FiloSottile/age/compare/v1.2.0...v1.2.1)

This release fixes a security vulnerability that could allow an attacker
to execute an arbitrary binary under certain conditions.

See GHSA-32gq-x56h-299c.

Plugin names may now only contain alphanumeric characters or the four
special characters `+-._`.

Thanks to ⬡-49016 for reporting this issue.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44Mi45IiwidXBkYXRlZEluVmVyIjoiMzkuODIuOSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJhdXRvbWVyZ2UiLCJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL3BhdGNoIl19-->
2024-12-27 02:40:03 +01:00
..

clustertool

GitHub release (release name instead of tag name) GitHub issues

A helper tool to help building TrueCharts helm charts
· Report Bug · Request Feature

About The Project

CLA: Before contributing

Our CLA applies to this repository as well.

Please ensure it's signed before submitting a PR: https://cla-assistant.io/truecharts/charts

We use the truecharts/charts link, as CLA assistant does not allow for creating a custom link to a private repository. However, they all sign the same CLA that applies project-wide

License

This tool is released as "All Rights reserved" and hence it's code should NOT be shared. This includes binaries that are modified to remove TrueCharts specific code, unless approved by Kjeld Schouten "The Owner". Those that are invited to have access to repository, are free to edit and use this code for testing purposes, as long as its sourcecode is not shared or saved in-the-cloud.