github/sample-controller
3
0
Fork 0
mirror of https://github.com/kubernetes/sample-controller.git synced 2026-06-07 00:05:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update security-critical authentication and protobuf dependencies

Browse Source 
This PR updates security-critical dependencies addressing authentication
and data parsing vulnerabilities.

**Authentication Security:**
- github.com/coreos/go-oidc: v2.3.0 -> v2.5.0
  - Security fix: Now verifies token signature BEFORE validating payload
  - Prevents potential processing of tampered tokens before cryptographic
    verification

- github.com/cyphar/filepath-securejoin: v0.6.0 -> v0.6.1
  - Security fix: Fixed seccomp fallback logic - library now properly falls
    back to safer O_PATH resolver when openat2(2) is denied by seccomp-bpf
  - Fixed file descriptor leak in openat2 wrapper during RESOLVE_IN_ROOT

- cyphar.com/go-pathrs: v0.2.1 -> v0.2.2
  - Companion update to filepath-securejoin

**Protobuf Security:**
- google.golang.org/protobuf: v1.36.8 -> v1.36.11
  - Security fix: Added recursion limit check in lazy decoding validation
  - Prevents potential stack exhaustion attacks via maliciously crafted
    protobuf messages
  - Also adds support for URL chars in type URLs in text-format

These updates are critical for:
- OIDC authentication in kube-apiserver
- Container filesystem path resolution (used by container runtimes)
- Protobuf message parsing throughout the codebase

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Kubernetes-commit: c825d80bbf2c82666192c329478a686fa3a1d5dc
This commit is contained in:
Davanum Srinivas
2026-01-11 16:50:37 -05:00
committed by Kubernetes Publisher
parent 81ae50c183
commit 1aa4a38e16
2 changed files with 27 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
go.mod
+12 -5
View File
@@ -8,10 +8,10 @@ godebug default=go1.25
require (
golang.org/x/time v0.14.0
k8s.io/api v0.0.0-20260113012918-43c1617fc468
k8s.io/apimachinery v0.0.0-20260113012329-b2e788fc9b3f
k8s.io/client-go v0.0.0-20260113013655-934ba1dfa59d
k8s.io/code-generator v0.0.0-20260113015126-4d14530c2a73
k8s.io/api v0.0.0
k8s.io/apimachinery v0.0.0
k8s.io/client-go v0.0.0
k8s.io/code-generator v0.0.0
k8s.io/klog/v2 v2.130.1
k8s.io/utils v0.0.0-20251219084037-98d557b7f1e7
)
@@ -45,7 +45,7 @@ require (
golang.org/x/term v0.39.0 // indirect
golang.org/x/text v0.33.0 // indirect
golang.org/x/tools v0.40.0 // indirect
google.golang.org/protobuf v1.36.8 // indirect
google.golang.org/protobuf v1.36.11 // indirect
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
@@ -56,3 +56,10 @@ require (
sigs.k8s.io/structured-merge-diff/v6 v6.3.1 // indirect
sigs.k8s.io/yaml v1.6.0 // indirect
)
replace (
k8s.io/api => ../api
k8s.io/apimachinery => ../apimachinery
k8s.io/client-go => ../client-go
k8s.io/code-generator => ../code-generator
)