Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency chainguard-dev/apko to v0.22.3 #9201

Merged
merged 1 commit into from
Dec 20, 2024

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
chainguard-dev/apko patch 0.22.2 -> 0.22.3

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

chainguard-dev/apko (chainguard-dev/apko)

v0.22.3

Compare Source

What's Changed

New Contributors

Full Changelog: chainguard-dev/apko@v0.22.2...v0.22.3


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

Copy link

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/apko:0.22.3

📦 Image Reference ghcr.io/uniget-org/tools/apko:0.22.3
digestsha256:37ed48623ab1bc82e8081fa51de030c694f377490af44ecff116fa90cc1373de
vulnerabilitiescritical: 0 high: 4 medium: 0 low: 0
platformlinux/amd64
size22 MB
packages147
critical: 0 high: 2 medium: 0 low: 0 github.com/u-root/u-root 0.14.0 (golang)

pkg:golang/github.com/u-root/[email protected]

high 7.5: CVE--2020--7669 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=v7.0.0
Fixed versionNot Fixed
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Description

This affects all versions of package github.com/u-root/u-root/pkg/tarutil. It is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction.

high 7.5: CVE--2020--7665 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=7.0.0
Fixed versionNot Fixed
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Description

This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction.

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/net 0.32.0 (golang)

pkg:golang/golang.org/x/[email protected]

high 8.7: CVE--2024--45338 Allocation of Resources Without Limits or Throttling

Affected range<0.33.0
Fixed version0.33.0
CVSS Score8.7
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Description

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

critical: 0 high: 1 medium: 0 low: 0 github.com/theupdateframework/go-tuf 0.7.0 (golang)

pkg:golang/github.com/theupdateframework/[email protected]

high : CVE--2024--47534

Affected range>=0
Fixed versionNot Fixed
Description

Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf

Copy link

Copy link

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12424204177.

@github-actions github-actions bot merged commit 6328aaf into main Dec 20, 2024
10 checks passed
@github-actions github-actions bot deleted the renovate/chainguard-dev-apko-0.22.x branch December 20, 2024 02:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants