Closed redhat-renovate-bot closed 3 months ago
In order to perform the update(s) described in the table above, Renovate ran the go get
command, which resulted in the following additional change(s):
go
directive was updated for compatibility reasonsDetails:
Package | Change |
---|---|
go |
1.20 -> 1.22.6 |
github.com/onsi/ginkgo/v2 |
v2.2.0 -> v2.13.0 |
github.com/onsi/gomega |
v1.20.2 -> v1.29.0 |
k8s.io/api |
v0.25.2 -> v0.30.0 |
k8s.io/apimachinery |
v0.25.2 -> v0.30.0 |
kubevirt.io/api |
v1.0.0-alpha.0 -> v1.3.1 |
github.com/davecgh/go-spew |
v1.1.1 -> v1.1.2-0.20180830191138-d8f796af33cc |
github.com/emicklei/go-restful/v3 |
v3.8.0 -> v3.11.0 |
github.com/go-kit/kit |
v0.9.0 -> v0.13.0 |
github.com/go-logfmt/logfmt |
v0.5.0 -> v0.6.0 |
github.com/go-logr/logr |
v1.2.3 -> v1.4.1 |
github.com/go-openapi/jsonpointer |
v0.19.5 -> v0.20.0 |
github.com/go-openapi/jsonreference |
v0.19.6 -> v0.20.2 |
github.com/golang/glog |
v1.0.0 -> v1.1.0 |
github.com/google/go-cmp |
v0.5.9 -> v0.6.0 |
github.com/google/gofuzz |
v1.1.0 -> v1.2.0 |
github.com/imdario/mergo |
v0.3.13 -> v0.3.16 |
go.uber.org/atomic |
v1.7.0 -> v1.9.0 |
go.uber.org/multierr |
v1.6.0 -> v1.7.0 |
google.golang.org/appengine |
v1.6.7 -> v1.6.8 |
k8s.io/apiextensions-apiserver |
v0.23.5 -> v0.30.0 |
k8s.io/klog/v2 |
v2.70.1 -> v2.120.1 |
k8s.io/kube-aggregator |
v0.23.5 -> v0.26.4 |
k8s.io/kube-openapi |
v0.0.0-20220803162953-67bda5d908f1 -> v0.0.0-20230905202853-d090da108d2f |
k8s.io/utils |
v0.0.0-20220728103510-ee6ede2d64ed -> v0.0.0-20240423183400-0849a56e8f22 |
kubevirt.io/containerized-data-importer-api |
v1.55.0 -> v1.57.0-alpha1 |
sigs.k8s.io/json |
v0.0.0-20220713155537-f223a00ba0e2 -> v0.0.0-20221116044647-bc3834ca7abd |
sigs.k8s.io/structured-merge-diff/v4 |
v4.2.3 -> v4.4.1 |
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign ksimon1 for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: redhat-renovate-bot Once this PR has been reviewed and has the lgtm label, please assign ksimon1 for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
@redhat-renovate-bot: The following tests failed, say /retest
to rerun all failed tests or /retest-required
to rerun all mandatory failed tests:
Test name | Commit | Details | Required | Rerun command |
---|---|---|---|---|
ci/prow/unit-tests | e32ac5d8a2806fc605e831bb48184af5cea04e91 | link | true | /test unit-tests |
ci/prow/e2e-tests | e32ac5d8a2806fc605e831bb48184af5cea04e91 | link | true | /test e2e-tests |
Full PR test history. Your PR dashboard.
/close this CVE is not fixable
@ksimon1: Closed this PR.
@ksimon1: Closed this PR.
Because you closed this PR without merging, Renovate will ignore this update (v1.2.1
). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps
array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
v1.0.0-alpha.0
->v1.2.1
KubeVirt NULL pointer dereference flaw
CVE-2024-31420 / GHSA-vjhf-6xfr-5p9g / GO-2024-2688
More information
#### Details A NULL pointer dereference flaw was found in KubeVirt. This flaw allows an attacker who has access to a virtual machine guest on a node with DownwardMetrics enabled to cause a denial of service by issuing a high number of calls to vm-dump-metrics --virtio and then deleting the virtual machine. #### Severity - CVSS Score: 6.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-31420](https://nvd.nist.gov/vuln/detail/CVE-2024-31420) - [https://access.redhat.com/security/cve/CVE-2024-31420](https://access.redhat.com/security/cve/CVE-2024-31420) - [https://bugzilla.redhat.com/show_bug.cgi?id=2272951](https://bugzilla.redhat.com/show_bug.cgi?id=2272951) - [https://github.com/kubevirt/kubevirt](https://togithub.com/kubevirt/kubevirt) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-vjhf-6xfr-5p9g) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).kubevirt allows a local attacker to execute arbitrary code via a crafted command
CVE-2024-33394 / GHSA-4q63-mr2m-57hf / GO-2024-2816
More information
#### Details An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. #### Severity - CVSS Score: 5.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-33394](https://nvd.nist.gov/vuln/detail/CVE-2024-33394) - [https://gist.github.com/HouqiyuA/1b75e23ece7ad98490aec1c887bdf49b](https://gist.github.com/HouqiyuA/1b75e23ece7ad98490aec1c887bdf49b) - [https://github.com/kubevirt/kubevirt](https://togithub.com/kubevirt/kubevirt) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-4q63-mr2m-57hf) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
kubevirt/kubevirt (kubevirt.io/kubevirt)
### [`v1.2.1`](https://togithub.com/kubevirt/kubevirt/releases/tag/v1.2.1) [Compare Source](https://togithub.com/kubevirt/kubevirt/compare/v1.2.0...v1.2.1) tag v1.2.1 Tagger: Antonio CardaceConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.