kubernetes

mirror of https://github.com/kubernetes/kubernetes.git synced 2026-02-03 20:40:26 -05:00

History

Davanum Srinivas c825d80bbf Update security-critical authentication and protobuf dependencies This PR updates security-critical dependencies addressing authentication and data parsing vulnerabilities. Authentication Security: - github.com/coreos/go-oidc: v2.3.0 -> v2.5.0 - Security fix: Now verifies token signature BEFORE validating payload - Prevents potential processing of tampered tokens before cryptographic verification - github.com/cyphar/filepath-securejoin: v0.6.0 -> v0.6.1 - Security fix: Fixed seccomp fallback logic - library now properly falls back to safer O_PATH resolver when openat2(2) is denied by seccomp-bpf - Fixed file descriptor leak in openat2 wrapper during RESOLVE_IN_ROOT - cyphar.com/go-pathrs: v0.2.1 -> v0.2.2 - Companion update to filepath-securejoin Protobuf Security: - google.golang.org/protobuf: v1.36.8 -> v1.36.11 - Security fix: Added recursion limit check in lazy decoding validation - Prevents potential stack exhaustion attacks via maliciously crafted protobuf messages - Also adds support for URL chars in type URLs in text-format These updates are critical for: - OIDC authentication in kube-apiserver - Container filesystem path resolution (used by container runtimes) - Protobuf message parsing throughout the codebase Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Davanum Srinivas <davanum@gmail.com>	2026-01-13 16:56:16 -05:00
..
go-pathrs	Update security-critical authentication and protobuf dependencies	2026-01-13 16:56:16 -05:00

Davanum Srinivas c825d80bbf Update security-critical authentication and protobuf dependencies

This PR updates security-critical dependencies addressing authentication
and data parsing vulnerabilities.

**Authentication Security:**
- github.com/coreos/go-oidc: v2.3.0 -> v2.5.0
  - Security fix: Now verifies token signature BEFORE validating payload
  - Prevents potential processing of tampered tokens before cryptographic
    verification

- github.com/cyphar/filepath-securejoin: v0.6.0 -> v0.6.1
  - Security fix: Fixed seccomp fallback logic - library now properly falls
    back to safer O_PATH resolver when openat2(2) is denied by seccomp-bpf
  - Fixed file descriptor leak in openat2 wrapper during RESOLVE_IN_ROOT

- cyphar.com/go-pathrs: v0.2.1 -> v0.2.2
  - Companion update to filepath-securejoin

**Protobuf Security:**
- google.golang.org/protobuf: v1.36.8 -> v1.36.11
  - Security fix: Added recursion limit check in lazy decoding validation
  - Prevents potential stack exhaustion attacks via maliciously crafted
    protobuf messages
  - Also adds support for URL chars in type URLs in text-format

These updates are critical for:
- OIDC authentication in kube-apiserver
- Container filesystem path resolution (used by container runtimes)
- Protobuf message parsing throughout the codebase

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

2026-01-13 16:56:16 -05:00

go-pathrs

Update security-critical authentication and protobuf dependencies

2026-01-13 16:56:16 -05:00