github-actions[bot]
commented
6 days ago :mag: Vulnerabilities of ghcr.io/uniget-org/tools/hugo:0.128.2
:package: Image Reference ghcr.io/uniget-org/tools/hugo:0.128.2
| digest | sha256:a1c99fa70b7516d97854bcb7582e14b21d0ab1a8f526eee9b70e5901de2b0456 |
| vulnerabilities |      |
| platform | linux/amd64 |
| size | 22 MB |
| packages | 145 |
pkg:golang/stdlib@1.22.2
DescriptionThe various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. 
DescriptionThe archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. 
DescriptionThe net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. 
DescriptionA malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. | ||||||||||||||||
pkg:golang/github.com/aws/aws-sdk-go@1.50.7
DescriptionThe Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket. Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client. 
DescriptionThe Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket. Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client. | ||||||||||||||||
pkg:golang/github.com/azure/azure-sdk-for-go/sdk/azidentity@1.4.0 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
DescriptionAzure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability. | ||||||||||||||||
pkg:golang/golang.org/x/image@0.16.0 Uncaught Exception
DescriptionParsing a corrupt or malicious image with invalid color indices can cause a panic. |
stdlib 
github.com/aws/aws-sdk-go
This PR contains the following updates:
0.128.1->0.128.2Release Notes
gohugoio/hugo (gohugoio/hugo)
### [`v0.128.2`](https://togithub.com/gohugoio/hugo/releases/tag/v0.128.2) [Compare Source](https://togithub.com/gohugoio/hugo/compare/v0.128.1...v0.128.2) #### What's Changed - Fix site.GetPage, never do short lookups for paths with leadig slash [`8cf96f2`](https://togithub.com/gohugoio/hugo/commit/8cf96f244) [@bep](https://togithub.com/bep) [#12638](https://togithub.com/gohugoio/hugo/issues/12638)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.