upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-02-14 16:25:09 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
134908 commits 60 branches 1207 tags 2.8 GiB
Commit graph

77 commits

Author SHA1 Message Date
Davanum Srinivas
c825d80bbf Update security-critical authentication and protobuf dependencies 
This PR updates security-critical dependencies addressing authentication
and data parsing vulnerabilities.

**Authentication Security:**
- github.com/coreos/go-oidc: v2.3.0 -> v2.5.0
  - Security fix: Now verifies token signature BEFORE validating payload
  - Prevents potential processing of tampered tokens before cryptographic
    verification

- github.com/cyphar/filepath-securejoin: v0.6.0 -> v0.6.1
  - Security fix: Fixed seccomp fallback logic - library now properly falls
    back to safer O_PATH resolver when openat2(2) is denied by seccomp-bpf
  - Fixed file descriptor leak in openat2 wrapper during RESOLVE_IN_ROOT

- cyphar.com/go-pathrs: v0.2.1 -> v0.2.2
  - Companion update to filepath-securejoin

**Protobuf Security:**
- google.golang.org/protobuf: v1.36.8 -> v1.36.11
  - Security fix: Added recursion limit check in lazy decoding validation
  - Prevents potential stack exhaustion attacks via maliciously crafted
    protobuf messages
  - Also adds support for URL chars in type URLs in text-format

These updates are critical for:
- OIDC authentication in kube-apiserver
- Container filesystem path resolution (used by container runtimes)
- Protobuf message parsing throughout the codebase

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2026-01-13 16:56:16 -05:00
Davanum Srinivas
1569ebc5a6
Bump github.com/opencontainers/cgroups to v0.0.6 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2025-11-28 16:22:46 -05:00
Davanum Srinivas
faf30b3067
update github.com/coreos/go-oidc to v2.3.0 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2025-01-22 15:27:54 -05:00
Akhil Mohan
5bce18c98e
dependencies: update go-semver to v0.3.1 
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
 2023-04-13 23:29:48 -07:00
Akhil Mohan
d7270f4ba7
dependencies: update go-oidc to v2.2.1 
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
 2023-04-13 23:25:57 -07:00
Akhil Mohan
1595d7f52d
dependencies: update go-systemd to v22.5.0 
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
 2023-04-13 23:21:38 -07:00
David Porter
28e9775fd5 deps: Update github.com/coreos/go-systemd/v22 to v22.4.0 
Update github.com/coreos/go-systemd/v22 to v22.4.0 which introduces
`GetUnitNameByPID`. This function will be used in node e2e to get the
container runtime systemd unit name.

Performed by:

$ hack/pin-dependency.sh github.com/coreos/go-systemd/v22  v22.4.0
$ hack/update-vendor.sh

Signed-off-by: David Porter <david@porter.me>
 2023-03-02 19:33:55 -08:00
Davanum Srinivas
7fcdbbef06
Switch to github.com/coreos/go-systemd/v22 and drop older package 
- We use the new v22 module released on May 10
- We drop the unmaintained `github.com/coreos/pkg`

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2021-06-16 11:14:16 -04:00
Jordan Liggitt
5cfc39ef5e Update protobuf,grpc,etcd dependencies 
1. Updated etcd/protobuf/grpc dependencies:

echo "
hack/pin-dependency.sh github.com/golang/protobuf latest
hack/pin-dependency.sh google.golang.org/protobuf latest
hack/pin-dependency.sh go.etcd.io/etcd/api/v3 v3.5.0-rc.0
hack/pin-dependency.sh go.etcd.io/etcd/client/v3 v3.5.0-rc.0
hack/pin-dependency.sh go.etcd.io/etcd/client/pkg/v3 v3.5.0-rc.0
hack/pin-dependency.sh go.etcd.io/etcd/pkg/v3 v3.5.0-rc.0
hack/pin-dependency.sh go.etcd.io/etcd/server/v3 v3.5.0-rc.0
hack/pin-dependency.sh go.etcd.io/etcd/tests/v3 v3.5.0-rc.0
hack/pin-dependency.sh google.golang.org/grpc latest
" | bash

2. Linted transitive dependencies until versions are clean:

hack/lint-dependencies.sh  | grep "  hack/pin-dependency.sh" | bash

3. Linted dependencies until dropped versions are clean:

hack/lint-dependencies.sh  | grep "dropreplace" | bash

4. Updated vendor and internal modules:

hack/update-vendor.sh
hack/update-internal-modules.sh

Repeated steps 2-4 until clean
 2021-06-15 10:06:09 -04:00
Kir Kolyshkin
f3cdfc488e vendor: bump runc to rc95 
runc rc95 contains a fix for CVE-2021-30465.

runc rc94 provides fixes and improvements.

One notable change is cgroup manager's Set now accept Resources rather
than Cgroup (see https://github.com/opencontainers/runc/pull/2906).
Modify the code accordingly.

Also update runc dependencies (as hinted by hack/lint-depdendencies.sh):

        github.com/cilium/ebpf v0.5.0
        github.com/containerd/console v1.0.2
        github.com/coreos/go-systemd/v22 v22.3.1
        github.com/godbus/dbus/v5 v5.0.4
        github.com/moby/sys/mountinfo v0.4.1
        golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
        github.com/google/go-cmp v0.5.4
        github.com/kr/pretty v0.2.1
        github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 2021-05-19 23:51:59 -07:00
Jordan Liggitt
4b45d0d921 Revert "Merge pull request 101888 from kolyshkin/update-runc-rc94" 
This reverts commit b1b06fe0a4, reversing
changes made to 382a33986b.
 2021-05-18 09:13:47 -04:00
Kir Kolyshkin
b49744f177 vendor: bump runc to rc94 
One notable change is cgroup manager's Set now accept Resources rather
than Cgroup (see https://github.com/opencontainers/runc/pull/2906).
Modify the code accordingly.

Also update runc dependencies (as hinted by hack/lint-depdendencies.sh):

	github.com/cilium/ebpf v0.5.0
	github.com/containerd/console v1.0.2
	github.com/coreos/go-systemd/v22 v22.3.1
	github.com/godbus/dbus/v5 v5.0.4
	github.com/moby/sys/mountinfo v0.4.1
	golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
	github.com/google/go-cmp v0.5.4
	github.com/kr/pretty v0.2.1
	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 2021-05-11 11:56:42 -07:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Jordan Liggitt
f33dc28094 generated: hack/update-hack-tools.sh && hack/update-vendor.sh 2020-07-25 16:45:02 -04:00
Giuseppe Scrivano
a6a3bf2eb4
vendor: update google/cadvisor and opencontainers/runc 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 2020-06-24 18:39:50 +02:00
louisgong
205ded20da update spf13/cobra dependency to 1.0.0 2020-05-14 11:03:30 +08:00
Jordan Liggitt
297570e06a hack/update-vendor.sh 2019-11-06 17:42:34 -05:00
Wenjia Zhang
660b17d0ae Pin dependencies and update vendors 2019-10-24 14:09:24 -07:00
Joe Betz
1db282bb3e Bump bbolt to v1.3.3 2019-10-15 13:38:16 -07:00
Joe Betz
41e03d26d5 Upgrade to etcd 3.3.17 2019-10-11 13:28:41 -07:00
Joe Betz
2a4217340e Revert #83735: Update etcd client to 3.3.16 2019-10-11 00:17:00 -07:00
Joe Betz
ad6aeecf30 Update etcd client to 3.3.16 2019-10-10 07:49:36 -07:00
Odin Ugedal
c07408380d
Bump dependency github.com/coreos/go-systemd@v19 (95778df) 2019-10-05 14:28:46 +02:00
Anders Eknert
5e6162c614 Honour "nbf" claim if present in ID token 2019-08-31 08:45:02 +02:00
Davanum Srinivas
108ccea448
Update github.com/coreos/etcd to v3.3.15 
Change-Id: I1b16ca712238219d082427c75dd6bc404794abbf
 2019-08-21 08:16:34 -04:00
Davanum Srinivas
8824e0fcf7
Use latest etcd from release-3.3 branch for dropping ugorji 
Pick up changes from:
https://github.com/etcd-io/etcd/pull/10675

Change-Id: Ic4d6daa3c54824d3d27809a125b798e88db0bf7e
 2019-05-02 14:12:01 -04:00
Davanum Srinivas
70d562a6ac
Update to latest cadvisor - cleanup mesos/rkt 
Change-Id: Ib5ae0cb13b93f8c87bb74e3ba33040df5f3d6a6f
 2019-04-11 14:49:23 -04:00
Jordan Liggitt
d0261b1077 generated: hack/update-vendor.sh 2019-04-03 10:19:40 -04:00
Guoliang Wang
d462e1e8d7 Update vendor package github.com/coreos/... 2018-10-24 07:52:40 +00:00
Joe Betz
4263c75211 Update etcd client to 3.3.9 2018-10-08 13:34:34 -07:00
Jeff Grafton
6034bf68d0 Update to gazelle 0.14.0 and run hack/update-bazel.sh 2018-09-05 15:27:15 -07:00
Timothy St. Clair
0bb21f647f Update etcd client to 3.2.24 for latest release 
Signed-off-by: Timothy St. Clair <timothysc@gmail.com>
 2018-09-04 21:39:43 -05:00
Jeff Grafton
23ceebac22 Run hack/update-bazel.sh 2018-06-22 16:22:57 -07:00
Jeff Grafton
a725660640 Update to gazelle 0.12.0 and run hack/update-bazel.sh 2018-06-22 16:22:18 -07:00
Jeff Grafton
01f94051c8 Remove the go_default_library_protos filegroups using buildozer 2018-06-22 16:22:18 -07:00
Filipe Brandenburger
1f1595a243 Update Godeps after removing rkt. 
This was done by executing the following two commands:

  $ hack/run-in-gopath.sh hack/godep-save.sh
  $ hack/run-in-gopath.sh hack/godep-restore.sh

Go packages github.com/appc/spec and github.com/coreos/go-systemd were
used by the rkt/ package that is now gone.
 2018-03-27 09:29:35 -07:00
Eric Chiang
379af0405c
bump(github.com/coreos/go-oidc): 065b426bd41667456c1a924468f507673629c46b 2018-02-16 10:57:52 -08:00
Joe Betz
e31bab4640 Version bump to etcd v3.2.13 2018-01-07 08:22:08 -08:00
Jeff Grafton
efee0704c6 Autogenerate BUILD files 2017-12-23 13:12:11 -08:00
Wojciech Tyczynski
4e8526dc6b
Revert "Version bump to etcd v3.2.11, grpc v1.7.5" 2017-12-19 15:25:06 +01:00
Joe Betz
05afd248f2 Version bump to etcd v3.2.11 2017-12-18 14:32:38 -08:00
Antoine Pelisse
3ed58475c4 Update openapi to use kube-openapi code 2017-10-20 09:21:06 -07:00
Jeff Grafton
aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Jeff Grafton
653d05c169 Regenerate all BUILD files in vendor/ from scratch using gazelle 2017-08-16 15:48:25 -07:00
Jeff Grafton
a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton
33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Jeff Grafton
5f63711681 Remove deprecated cgo_genrules 2017-08-11 09:31:05 -07:00
Jeff Grafton
cf55f9ed45 Autogenerate BUILD files 2017-08-11 09:30:23 -07:00
Kubernetes Submit Queue
44b0eeed13 Merge pull request #48907 from thomastaylor312/bump_oidc_dep 
Automatic merge from submit-queue (batch tested with PRs 47738, 49196, 48907, 48533, 48822)

Bumps go-oidc version to include fix for jwt header parsing

**What this PR does / why we need it**:
This bumps the go-oidc dependency to use a fix merged in https://github.com/coreos/go-oidc/pull/153 for OIDC providers that don't set an `Expires` header

**Which issue this PR fixes** : 
Partially addresses #42654 
Also related: https://github.com/coreos/go-oidc/issues/136

**Special notes for your reviewer**:
None

**Release note**:
```release-note
NONE
```
 2017-07-28 03:10:32 -07:00
Timothy St. Clair
a8b2146ef3 Updates godep for etcd-client to 3.1.10. 2017-07-25 16:14:22 -05:00