Bump github.com/docker/docker from 24.0.9+incompatible to 25.0.6+incompatible in /test/e2e #1356
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.9+incompatible to 25.0.6+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.9...v25.0.6) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
the
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| google.golang.org/grpc v1.63.2 // indirect | ||
| google.golang.org/protobuf v1.34.0 // indirect | ||
| google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect | ||
| google.golang.org/grpc v1.64.0 // indirect |
There was a problem hiding this comment.
🟡 Library Vulnerability
google.golang.org/grpc → 1.64.0
Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go (...read more)
Impact
This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.
Patches
The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0
Workarounds
If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.
| @@ -192,13 +195,19 @@ | |||
| github.com/xanzy/ssh-agent v0.3.3 // indirect | |||
| github.com/xlab/treeprint v1.2.0 // indirect | |||
| github.com/zclconf/go-cty v1.14.4 // indirect | |||
| go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 // indirect | |||
There was a problem hiding this comment.
🔴 Library Vulnerability
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp → 0.35.1
OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics (...read more)
Summary
This handler wrapper https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65
out of the box adds labels
http.user_agenthttp.method
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it.
Details
HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent.
PoC
Send many requests with long randomly generated HTTP methods or/and User agents (e.g. a million) and observe how memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use otelhttp.NewHandler wrapper, and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc.
Others
It is similar to already reported vulnerabilities
- GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib)
- GHSA-cg3q-j54f-5p7p (prometheus/client_golang)
Workaround for affected versions
As a workaround to stop being affected otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely.
For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.
The other possibility is to disable HTTP metrics instrumentation by passing otelhttp.WithMeterProvider option with noop.NewMeterProvider.
Solution provided by upgrading
In PR open-telemetry/opentelemetry-go-contrib#4277, released with package version 0.44.0, the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed.
References
| google.golang.org/grpc v1.63.2 // indirect | ||
| google.golang.org/protobuf v1.34.0 // indirect | ||
| google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect | ||
| google.golang.org/grpc v1.64.0 // indirect |
There was a problem hiding this comment.
🟡 Library Vulnerability
google.golang.org/grpc → 1.64.0
Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go (...read more)
Impact
This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.
Patches
The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0
Workarounds
If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.
| @@ -192,13 +195,19 @@ | |||
| github.com/xanzy/ssh-agent v0.3.3 // indirect | |||
| github.com/xlab/treeprint v1.2.0 // indirect | |||
| github.com/zclconf/go-cty v1.14.4 // indirect | |||
| go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1 // indirect | |||
There was a problem hiding this comment.
🔴 Library Vulnerability
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp → 0.35.1
OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics (...read more)
Summary
This handler wrapper https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65
out of the box adds labels
http.user_agenthttp.method
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it.
Details
HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent.
PoC
Send many requests with long randomly generated HTTP methods or/and User agents (e.g. a million) and observe how memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use otelhttp.NewHandler wrapper, and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc.
Others
It is similar to already reported vulnerabilities
- GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib)
- GHSA-cg3q-j54f-5p7p (prometheus/client_golang)
Workaround for affected versions
As a workaround to stop being affected otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely.
For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.
The other possibility is to disable HTTP metrics instrumentation by passing otelhttp.WithMeterProvider option with noop.NewMeterProvider.
Solution provided by upgrading
In PR open-telemetry/opentelemetry-go-contrib#4277, released with package version 0.44.0, the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed.
References
Bumps github.com/docker/docker from 24.0.9+incompatible to 25.0.6+incompatible.
Release notes
Sourced from github.com/docker/docker's releases.
... (truncated)
Commits
b08a51fMerge pull request #48231 from austinvazquez/backport-vendor-otel-v0.46.1-to-...d151b0fvendor: OTEL v0.46.1 / v1.21.0c6ba9a5Merge pull request #48225 from austinvazquez/backport-workflow-artifact-reten...4673a3cMerge pull request #48227 from austinvazquez/backport-backport-branch-check-t...30f8908github/ci: Check if backport is opened against the expected branch7454d6aci: update workflow artifacts retention65cc597Merge commit from forkb722836Merge pull request #48199 from austinvazquez/update-containerd-binary-to-1.7.20e8ecb9cupdate containerd binary to v1.7.20e6cae1fupdate containerd binary to v1.7.19Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.