KubeArmor
KubeArmor copied to clipboard
kubearmor
fix(deps): update module github.com/cilium/cilium to v1.14.14 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| github.com/cilium/cilium | v1.14.12 -> v1.14.14 |
GitHub Vulnerability Alerts
CVE-2024-42488
Impact
A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.
Patches
This issue was fixed in https://github.com/cilium/cilium/pull/33511.
This issue affects:
- All versions of Cilium before v1.14.14
- Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
This issue has been patched in:
- Cilium v1.14.14
- Cilium v1.15.8
Workarounds
As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.
Acknowledgements
The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @skmatti for raising and resolving this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Release Notes
cilium/cilium (github.com/cilium/cilium)
v1.14.14: 1.14.14
Security Advisories
This release addresses https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw.
Summary of Changes
Bugfixes:
- DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport PR #33815, Upstream PR #33592, @gandro)
- Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR #34184, Upstream PR #34091, @giorio94)
- Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport PR #33815, Upstream PR #33735, @giorio94)
- pkg/metrics: fix data race warning on metrics init hook. (Backport PR #33963, Upstream PR #33823, @tommyp1ckles)
- Report the correct drop reason when a packet is dropped by the bpf_lxc program. (Backport PR #31735, Upstream PR #33551, @julianwiedmann)
- The cilium agent will now recover from stale nodeID mappings which could occur in clusters with high node churn, possibly manifesting itself in dropped IPsec traffic. (Backport PR #34150, Upstream PR #33666, @bimmlerd)
CI Changes:
- [v1.14] ci/ipsec: add missing config for patch-upgrade test with 6.6 kernel (#33737, @julianwiedmann)
- gha: Add http client timeout in Ingress (Backport PR #33815, Upstream PR #33683, @sayboras)
- gha: add spot input to setup-eks-cluster action (#33848, @giorio94)
- gha: don't fail if all cloud provider matrix entries are filtered out (Backport PR #33963, Upstream PR #33819, @giorio94)
- gha: ensure that helm values.schema.json is not accidentally backported (Backport PR #33963, Upstream PR #33845, @giorio94)
- gha: lint absence of trailing spaces in workflow files (Backport PR #34150, Upstream PR #33908, @giorio94)
- gha: simplify the call-backport-label-updater workflow (Backport PR #33963, Upstream PR #33934, @giorio94)
- test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR #34150, Upstream PR #34004, @tommyp1ckles)
- workflow: Use per-tunnel keys for the IPsec upgrade test (Backport PR #34150, Upstream PR #33769, @pchaigno)
Misc Changes:
- [v1.14] Update Docker dependency (#34189, @ferozsalam)
- chore(deps): update all github action dependencies (v1.14) (#34054, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (#34171, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.14) (#33651, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.14) (#34052, @cilium-renovate[bot])
- chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.14) (#33800, @cilium-renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.13 (v1.14) (#33801, @cilium-renovate[bot])
- chore(deps): update dependency cilium/hubble to v1 (v1.14) (#34055, @cilium-renovate[bot])
- chore(deps): update go to v1.22.6 (v1.14) (#34264, @cilium-renovate[bot])
- daemon/ipam: don't swallow parse error of CIDR (Backport PR #33815, Upstream PR #33283, @bimmlerd)
- doc: update slack channel reference (Backport PR #34150, Upstream PR #34044, @Huweicai)
- docs,LRP: Add steps to restart agent and operator pods and update feature roadmap status (Backport PR #33815, Upstream PR #33655, @aditighag)
- docs: Extend LRP guide with troubleshooting section (Backport PR #33815, Upstream PR #33373, @aditighag)
- docs: remove mention of outdated clustermesh + L7 policies + tunnel limitation (Backport PR #33815, Upstream PR #33626, @giorio94)
- docs: Update LVH VM image pull instructions (Backport PR #33815, Upstream PR #33621, @brb)
- Documentation: Add --set cni.exclusive=false for Azure Chain Mode (Backport PR #33815, Upstream PR #33708, @Mais316)
- helm: Allow socket linger timeout to be set to zero (Backport PR #33963, Upstream PR #33887, @gandro)
- renovate: onboard etcd image used in integration tests (Backport PR #33815, Upstream PR #33679, @giorio94)
Other Changes:
- [v1.14] ci: use base and head SHAs from context in lint-build-commits workflow (#34268, @tklauser)
- [v1.14] Revert "docs: Update LRP feature status" (#34239, @ysksuzuki)
- chore(deps): update go to v1.22.5 (#34073, @YutaroHayakawa)
- Fix IPSec XfrmInStateProtoError errors on agent restart in cluster pool IPAM mode (#34030, @dylandreimerink)
- install: Update image digests for v1.14.13 (#33746, @cilium-release-bot[bot])
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.14@​sha256:43d664501afbf35496e494dae0c5a7f8680a51ed9084997bea9c64bf4451a637
quay.io/cilium/cilium:v1.14.14@​sha256:43d664501afbf35496e494dae0c5a7f8680a51ed9084997bea9c64bf4451a637
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.14@​sha256:43171d3f988ffa7b5ef58b7f329bab77a5382c620b56ed9a64909e4358174135
quay.io/cilium/clustermesh-apiserver:v1.14.14@​sha256:43171d3f988ffa7b5ef58b7f329bab77a5382c620b56ed9a64909e4358174135
docker-plugin
docker.io/cilium/docker-plugin:v1.14.14@​sha256:8f4722b3fc3b64438065eeb8d4a003f8166032bf2bc1bad0480495cd7f9feef2
quay.io/cilium/docker-plugin:v1.14.14@​sha256:8f4722b3fc3b64438065eeb8d4a003f8166032bf2bc1bad0480495cd7f9feef2
hubble-relay
docker.io/cilium/hubble-relay:v1.14.14@​sha256:6fdad9d7ce64efbb966745005a2060223d9677cc4407177171b865691ab00aac
quay.io/cilium/hubble-relay:v1.14.14@​sha256:6fdad9d7ce64efbb966745005a2060223d9677cc4407177171b865691ab00aac
kvstoremesh
docker.io/cilium/kvstoremesh:v1.14.14@​sha256:ac7b4ddc38abfa0a27a503c7453dc8a8d4b3b1b1e785b02fda3ccbe613987c41
quay.io/cilium/kvstoremesh:v1.14.14@​sha256:ac7b4ddc38abfa0a27a503c7453dc8a8d4b3b1b1e785b02fda3ccbe613987c41
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.14@​sha256:2a88642e1c76548a0c4d8e8fe2facaed5f6955040bdd4729a6d1090eafde5e49
quay.io/cilium/operator-alibabacloud:v1.14.14@​sha256:2a88642e1c76548a0c4d8e8fe2facaed5f6955040bdd4729a6d1090eafde5e49
operator-aws
docker.io/cilium/operator-aws:v1.14.14@​sha256:adb1ea6a98b2715c5bed74ba4ab9fab89f6862aff462a5a05acd0d8c39d3af80
quay.io/cilium/operator-aws:v1.14.14@​sha256:adb1ea6a98b2715c5bed74ba4ab9fab89f6862aff462a5a05acd0d8c39d3af80
operator-azure
docker.io/cilium/operator-azure:v1.14.14@​sha256:4a88010d124b70ca1b1df90e0ca40bd79a99e344f72bfc821b9ef490421d0f51
quay.io/cilium/operator-azure:v1.14.14@​sha256:4a88010d124b70ca1b1df90e0ca40bd79a99e344f72bfc821b9ef490421d0f51
operator-generic
docker.io/cilium/operator-generic:v1.14.14@​sha256:0f2c8178bd20189fc9aeaa71224e6becdf71b42642209610b57390f7b798aae2
quay.io/cilium/operator-generic:v1.14.14@​sha256:0f2c8178bd20189fc9aeaa71224e6becdf71b42642209610b57390f7b798aae2
operator
docker.io/cilium/operator:v1.14.14@​sha256:8d1445bb129ccc56e6f2410369e0c9bacbb3ae9b7fde522c76734f01005e9ded
quay.io/cilium/operator:v1.14.14@​sha256:8d1445bb129ccc56e6f2410369e0c9bacbb3ae9b7fde522c76734f01005e9ded
v1.14.13: 1.14.13
Summary of Changes
We are pleased to release Cilium v1.14.13, which includes and updated Hubble UI, as well as stability and bug fixes. Thanks to all contributors, reviewers, testers, and users!
Minor Changes:
Bugfixes:
- envoy: Avoid short circuit backend filtering (Backport PR #33534, Upstream PR #33403, @sayboras)
- Fix service connection to terminating backend, when the service has no more backends available. (Backport PR #32093, Upstream PR #31840, @julianwiedmann)
- Fix too many open Unix sockets (Backport PR #33632, Upstream PR #33569, @chaunceyjiang)
- Generate SBOM from the correct release image (#33051, @ferozsalam)
- helm: Decouple sysctlfix from cgroup.autoMount (Backport PR #33099, Upstream PR #32866, @YutaroHayakawa)
- ipsec: do not nil out EncryptInterface when using IPAM ENI on netlink… (Backport PR #33632, Upstream PR #33512, @jasonaliyetti)
- IPv6 and IPv4 '0.0.0.0/0' CIDR parsing in policy processing has been fixed (Backport PR #33530, Upstream PR #33448, @jrajahalme)
- Report the correct drop reason when a packet is dropped by the bpf_lxc program. (Backport PR #33632, Upstream PR #33551, @julianwiedmann)
- Revert PR #32244 which caused unintended side-effects that negatively impacted network performance. (Backport PR #33377, Upstream PR #33304, @learnitall)
- socketlb: tolerate cgroupv1 when detaching bpf programs (Backport PR #33632, Upstream PR #33599, @rgo3)
- Update IPsec to handle larger PSK values when using per-tunnel PSK (Backport PR #33632, Upstream PR #33472, @jasonaliyetti)
CI Changes:
- [v1.14] Disable release SBOM asset uploads (#33073, @ferozsalam)
- Bump CLI to v0.16.11 (Backport PR #33530, Upstream PR #33444, @brb)
- ci: Add IPsec leak detection for ci-ipsec-e2e (Backport PR #33048, Upstream PR #32930, @jschwinger233)
- ci: use env variable to store branch name (Backport PR #33377, Upstream PR #26779, @ferozsalam)
- gh: ipsec: clarify check for leaked proxy traffic during key rotation (Backport PR #33632, Upstream PR #33509, @julianwiedmann)
- gha: Only retrieve IPv4 CIDR from docker network (Backport PR #33111, Upstream PR #33093, @sayboras)
Misc Changes:
- .github: add workflow for renovate to build base images (Backport PR #33347, Upstream PR #33326, @aanm)
- .github: fix cloud workflows for renovate (Backport PR #33322, Upstream PR #33320, @aanm)
- .github: fix worfklows used by renovate (Backport PR #33316, Upstream PR #33309, @aanm)
- .github: fix workflows for on push (#33369, @aanm)
- [v1.14] - remove tracking of backports with MLH (#33125, @aanm)
- Add auto-merge for renovate for trusted dependencies (Backport PR #33316, Upstream PR #33287, @aanm)
- build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /Documentation (Backport PR #33377, Upstream PR #33218, @dependabot[bot])
- build-images-base: cancel github runs based on branch name (Backport PR #33377, Upstream PR #33353, @aanm)
- build-images-base: push to branch if pull request ref doesn't exist (Backport PR #33377, Upstream PR #33368, @aanm)
- build-images: fetch artifacts with specific pattern (Backport PR #33377, Upstream PR #33216, @aanm)
- chore(deps): update all github action dependencies (v1.14) (#33188, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (#33363, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (#33496, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (#33636, @cilium-renovate[bot])
- chore(deps): update cilium/cilium-cli action to v0.16.11 (v1.14) (#33652, @cilium-renovate[bot])
- chore(deps): update cilium/scale-tests-action digest to
511e3d9(v1.14) (#33215, @cilium-renovate[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.10 (v1.14) (#32992, @cilium-renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.7 (v1.14) (#33355, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.11 docker digest to
2eb85b8(v1.14) (#33178, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.21.11 docker digest to
b405b62(v1.14) (#33339, @cilium-renovate[bot]) - chore(deps): update docker/build-push-action action to v5.4.0 (v1.14) (#33019, @cilium-renovate[bot])
- chore(deps): update docker/build-push-action action to v6 (v1.14) (#33206, @cilium-renovate[bot])
- chore(deps): update go to v1.21.12 (v1.14) (#33540, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/certgen docker tag to v0.1.13 (v1.14) (#33179, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.14) (patch) (#33007, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.14) (patch) (#33182, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.14) (patch) (#33362, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.14) (patch) (#33635, @cilium-renovate[bot])
- daemon: Allow DNS transparent mode to be turned off with encryption (Backport PR #33530, Upstream PR #33420, @gandro)
- docs: Improve note on kube-apiserver entity limitations (Backport PR #33530, Upstream PR #33382, @gandro)
- docs: ipsec: mention dependency on transparent mode for DNS proxy (Backport PR #33099, Upstream PR #33062, @julianwiedmann)
- Documentation: accept ORG and REPO (Backport PR #33530, Upstream PR #33514, @aanm)
- examples: Fix subject selector in ingress policy (Backport PR #33377, Upstream PR #33292, @joestringer)
- Fix renovate's concurrency group (Backport PR #33561, Upstream PR #33528, @aanm)
- install/kubernetes: update nodeinit image to latest version (Backport PR #33530, Upstream PR #33427, @marseel)
- ipcache: Fix orphaned ipcache entries when mixing Upsert and Inject (Backport PR #33270, Upstream PR #33120, @squeed)
- LRP: Misc fix-ups (Backport PR #33530, Upstream PR #33442, @aditighag)
- Makefile.values: re-add etcd back (#33579, @aanm)
- Miscellaneous improvements to clustermesh-related troubleshooting tools (Backport PR #33377, Upstream PR #32951, @giorio94)
- Renovate changes (Backport PR #33561, Upstream PR #33519, @aanm)
- renovate: add auto-approve bot for renovate PRs (Backport PR #33643, Upstream PR #33604, @aanm)
Other Changes:
- envoy: Bump golang version to v1.22.5 (#33556, @sayboras)
- envoy: Update envoy 1.28.x to v1.28.5 (#33482, @sayboras)
- github: fix concurrency groups for push events (#33645, @aanm)
- install: Update image digests for v1.14.12 (#33016, @qmonnet)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.13@​sha256:9cbbbaf0697756cb8ca2e2f67b8d3421918869e60e206b9309fb0689c101432f
quay.io/cilium/cilium:v1.14.13@​sha256:9cbbbaf0697756cb8ca2e2f67b8d3421918869e60e206b9309fb0689c101432f
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.13@​sha256:99ce2f49fe0ba5985a4746514adb51914572cf27be659f4735e5264df48759d1
quay.io/cilium/clustermesh-apiserver:v1.14.13@​sha256:99ce2f49fe0ba5985a4746514adb51914572cf27be659f4735e5264df48759d1
docker-plugin
docker.io/cilium/docker-plugin:v1.14.13@​sha256:e9b6885a0bcc1349047ca301fc82abcb6e6f9fdf06a72ea3603913e9c1c51e45
quay.io/cilium/docker-plugin:v1.14.13@​sha256:e9b6885a0bcc1349047ca301fc82abcb6e6f9fdf06a72ea3603913e9c1c51e45
hubble-relay
docker.io/cilium/hubble-relay:v1.14.13@​sha256:bdd411ed6f38904ffde4648d135ce8b38452932226b8325fd20cdc4dbb52c4b6
quay.io/cilium/hubble-relay:v1.14.13@​sha256:bdd411ed6f38904ffde4648d135ce8b38452932226b8325fd20cdc4dbb52c4b6
kvstoremesh
docker.io/cilium/kvstoremesh:v1.14.13@​sha256:b90bb713d05f9e0a26fc183520aa8916db0ed3eceaa876fba99df91d5b2a46e4
quay.io/cilium/kvstoremesh:v1.14.13@​sha256:b90bb713d05f9e0a26fc183520aa8916db0ed3eceaa876fba99df91d5b2a46e4
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.13@​sha256:84e5f93ecf618816202783874d5e58a272314f8d09d4b2ced36a48b5558d02f2
quay.io/cilium/operator-alibabacloud:v1.14.13@​sha256:84e5f93ecf618816202783874d5e58a272314f8d09d4b2ced36a48b5558d02f2
operator-aws
docker.io/cilium/operator-aws:v1.14.13@​sha256:f528f6856451784aae666a96d7b23e6b56f3d4b00b17e3639adfa1331d706601
quay.io/cilium/operator-aws:v1.14.13@​sha256:f528f6856451784aae666a96d7b23e6b56f3d4b00b17e3639adfa1331d706601
operator-azure
docker.io/cilium/operator-azure:v1.14.13@​sha256:b028c96d49eea3f4bacccd1b2fcd418f4490315467fb6cc74654c6d685f749d3
quay.io/cilium/operator-azure:v1.14.13@​sha256:b028c96d49eea3f4bacccd1b2fcd418f4490315467fb6cc74654c6d685f749d3
operator-generic
docker.io/cilium/operator-generic:v1.14.13@​sha256:04730b89598c886524356226e11cffb69f39ade35b0379ace10fe74e386b067d
quay.io/cilium/operator-generic:v1.14.13@​sha256:04730b89598c886524356226e11cffb69f39ade35b0379ace10fe74e386b067d
operator
docker.io/cilium/operator:v1.14.13@​sha256:9af18cf0c1bcc2bcba6d77d86b1853c36d4f7591dfb86027bbbccbab08d3cf02
quay.io/cilium/operator:v1.14.13@​sha256:9af18cf0c1bcc2bcba6d77d86b1853c36d4f7591dfb86027bbbccbab08d3cf02
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠️ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: KubeArmor/go.sum
Command failed: install-tool golang 1.22.11