chore(deps): update dependency siderolabs/talos to v1.9.1

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
siderolabs/talos	patch	1.9.0 -> 1.9.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

siderolabs/talos (siderolabs/talos)

v1.9.1

Compare Source

Talos 1.9.1 (2024-12-26)

Welcome to the v1.9.1 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

• Linux: 6.12.6
• CNI plugins: 1.6.1

Talos is built with Go 1.23.4.

Contributors

• Andrey Smirnov
• Dmitry Sharshakov
• Noel Georgi

Changes

15 commits

• @​348472f release(v1.9.1): prepare release
• @​e702542 fix: ignore member not found error on leave cluster
• @​2125206 test: use node informer instead of raw watch
• @​73c25ee fix: talosctl support and race tests
• @​edd7844 fix: update go-blockdevice to v2.0.9
• @​c1f975c fix: use correct default search domain
• @​ff91a75 fix: reduce installer image
• @​9cebe5e fix: fix Failed to initialize SELinux labeling handle udev error
• @​852cf5a feat: bring Linux 6.12.6, CNI plugins 1.6.1
• @​5f83c83 docs: document Kubernetes service registry incompat with K8s 1.32
• @​3f87286 fix: dashboard crash on CPU data
• @​f84ba2a docs: fix several typos
• @​972044e chore: support gcr.io auth for cache and image gen
• @​7908c93 fix: make talosctl time work with PTP time sync
• @​48cb3a6 fix: restore previous disk serial fetching

Changes from siderolabs/go-talos-support

1 commit

• siderolabs/go-talos-support@0f784bd fix: avoid deadlock on context cancel

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@45c4ba4 fix: patch containerd with CNI deadlock fix
• siderolabs/pkgs@13c5fc6 feat: update Linux to 6.12.6
• siderolabs/pkgs@6ed389e feat: update Linux firmware to 2024121

Dependency Changes

• github.com/containernetworking/plugins v1.6.0 -> v1.6.1
• github.com/opencontainers/runc v1.2.2 -> v1.2.3
• github.com/siderolabs/go-blockdevice/v2 v2.0.7 -> v2.0.9
• github.com/siderolabs/go-talos-support v0.1.1 -> v0.1.2
• github.com/siderolabs/pkgs v1.9.0-12-g9576b97 -> v1.9.0-15-g45c4ba4
• github.com/siderolabs/talos/pkg/machinery v1.9.0 -> v1.9.1

Previous release can be found at v1.9.0

Images

ghcr.io/siderolabs/flannel:v0.26.1
registry.k8s.io/coredns/coredns:v1.12.0
gcr.io/etcd-development/etcd:v3.5.17
registry.k8s.io/kube-apiserver:v1.32.0
registry.k8s.io/kube-controller-manager:v1.32.0
registry.k8s.io/kube-scheduler:v1.32.0
registry.k8s.io/kube-proxy:v1.32.0
ghcr.io/siderolabs/kubelet:v1.32.0
ghcr.io/siderolabs/installer:v1.9.1
registry.k8s.io/pause:3.10

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/talosctl:1.9.1

📦 Image Reference ghcr.io/uniget-org/tools/talosctl:1.9.1

digest	sha256:e99ecbf09d30c1919416d27e4d005e3a8f87caba5ba03317a5cdd17a5bfdea77
vulnerabilities
platform	linux/amd64
size	27 MB
packages	239

golang.org/x/crypto 0.30.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.32.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

github.com/golang-jwt/jwt/v4 4.5.0 (golang) pkg:golang/github.com/golang-jwt/jwt/[email protected] Improper Verification of Cryptographic Signature Affected range <4.5.1 Fixed version 4.5.1 CVSS Score 2.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Description Summary Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens. Fix We have back-ported the error handling logic from the v5 branch to the v4 branch. In this logic, the ParseWithClaims function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. Workaround We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above. token, err := /* jwt.Parse or similar */ if token.Valid { fmt.Println("You look nice today") } else if errors.Is(err, jwt.ErrTokenMalformed) { fmt.Println("That's not even a token") } else if errors.Is(err, jwt.ErrTokenUnverifiable) { fmt.Println("We could not verify this token") } else if errors.Is(err, jwt.ErrTokenSignatureInvalid) { fmt.Println("This token has an invalid signature") } else if errors.Is(err, jwt.ErrTokenExpired) || errors.Is(err, jwt.ErrTokenNotValidYet) { // Token is either expired or not active yet fmt.Println("Timing is everything") } else { fmt.Println("Couldn't handle this token:", err) }

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12506160186.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12506160186.