6d8fe8db3e
This PR updates security-critical dependencies addressing authentication
and data parsing vulnerabilities.
**Authentication Security:**
- github.com/coreos/go-oidc: v2.3.0 -> v2.5.0
- Security fix: Now verifies token signature BEFORE validating payload
- Prevents potential processing of tampered tokens before cryptographic
verification
- github.com/cyphar/filepath-securejoin: v0.6.0 -> v0.6.1
- Security fix: Fixed seccomp fallback logic - library now properly falls
back to safer O_PATH resolver when openat2(2) is denied by seccomp-bpf
- Fixed file descriptor leak in openat2 wrapper during RESOLVE_IN_ROOT
- cyphar.com/go-pathrs: v0.2.1 -> v0.2.2
- Companion update to filepath-securejoin
**Protobuf Security:**
- google.golang.org/protobuf: v1.36.8 -> v1.36.11
- Security fix: Added recursion limit check in lazy decoding validation
- Prevents potential stack exhaustion attacks via maliciously crafted
protobuf messages
- Also adds support for URL chars in type URLs in text-format
These updates are critical for:
- OIDC authentication in kube-apiserver
- Container filesystem path resolution (used by container runtimes)
- Protobuf message parsing throughout the codebase
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: c825d80bbf2c82666192c329478a686fa3a1d5dc
|
||
|---|---|---|
| .github | ||
| docs | ||
| images | ||
| pkg | ||
| testdata | ||
| code-of-conduct.md | ||
| CONTRIBUTING.md | ||
| doc.go | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| OWNERS | ||
| README.md | ||
| SECURITY_CONTACTS | ||
⚠️ This is an automatically published staged repository for Kubernetes.
Pull requests, should be made to the main Kubernetes repository: https://github.com/kubernetes/kubernetes.
This repository is read-only for importing, and not used for direct contributions.
See CONTRIBUTING.md for more details.
Kubectl
The k8s.io/kubectl repo is used to track issues for the kubectl cli distributed
with k8s.io/kubernetes. It also contains packages intended for use by client
programs. E.g. these packages are vendored into k8s.io/kubernetes for use in
the kubectl
cli client. That client will eventually move here too.
Contribution Requirements
-
Full unit-test coverage.
-
Go tools compliant (
go get,go test, etc.). It needs to be vendorable somewhere else. -
No dependence on
k8s.io/kubernetes. Dependence on other repositories is fine. -
Code must be usefully commented. Not only for developers on the project, but also for external users of these packages.
-
When reviewing PRs, you are encouraged to use Golang's code review comments page.
-
Packages in this repository should aspire to implement sensible, small interfaces and import a limited set of dependencies.
Community, discussion, contribution, and support
See this document for how to reach the maintainers of this project.
Code of conduct
Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.