fix(deps): update module github.com/cilium/cilium to v1.14.12 [security] - autoclosed #1782
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.14.9
->v1.14.12
GitHub Vulnerability Alerts
CVE-2024-37307
Impact
The output of
cilium-bugtool
can contain sensitive data when the tool is run (with the--envoy-dump
flag set) against Cilium deployments with the Envoy proxy enabled.Users of the following features are affected:
The sensitive data includes:
cilium-bugtool
is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster.Patches
This issue affects:
This issue has been patched in:
Workarounds
There is no workaround to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @sayboras for their work on triaging and remediating this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Release Notes
cilium/cilium (github.com/cilium/cilium)
v1.14.12
: 1.14.12Compare Source
We are pleased to release Cilium v1.14.12 that improves background resynchronization of nodes, improves the CLI to troubleshoot connectivity issues, lowers CPU consumption with IPsec for large clusters, and brings a number of additional fixes. Thanks to all contributors, reviewers, testers, and users! ❤️
Summary of Changes
Minor Changes:
Bugfixes:
hubble.ui.securityContext.enabled
from hubble-ui deployment template (Backport PR #32888, Upstream PR #32338, @stelucz)CI Changes:
workflow_dispatch
event. (Backport PR #32503, Upstream PR #31424, @learnitall)Misc Changes:
16438a8
(v1.14) (#32636, @renovate[bot])19478ce
(v1.14) (#32924, @renovate[bot])a6d2b38
(v1.14) (#32369, @renovate[bot])Other Changes:
v1.14.12
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.12@​sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c
quay.io/cilium/cilium:v1.14.12@​sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.12@​sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92
quay.io/cilium/clustermesh-apiserver:v1.14.12@​sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92
docker-plugin
docker.io/cilium/docker-plugin:v1.14.12@​sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107
quay.io/cilium/docker-plugin:v1.14.12@​sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107
hubble-relay
docker.io/cilium/hubble-relay:v1.14.12@​sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574
quay.io/cilium/hubble-relay:v1.14.12@​sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574
kvstoremesh
docker.io/cilium/kvstoremesh:v1.14.12@​sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565
quay.io/cilium/kvstoremesh:v1.14.12@​sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.12@​sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c
quay.io/cilium/operator-alibabacloud:v1.14.12@​sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c
operator-aws
docker.io/cilium/operator-aws:v1.14.12@​sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe
quay.io/cilium/operator-aws:v1.14.12@​sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe
operator-azure
docker.io/cilium/operator-azure:v1.14.12@​sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd
quay.io/cilium/operator-azure:v1.14.12@​sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd
operator-generic
docker.io/cilium/operator-generic:v1.14.12@​sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6
quay.io/cilium/operator-generic:v1.14.12@​sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6
operator
docker.io/cilium/operator:v1.14.12@​sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262
quay.io/cilium/operator:v1.14.12@​sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262
v1.14.11
: 1.14.11Compare Source
We are pleased to release Cilium v1.14.11.
This release brings us reducing pressure on the BPF connection tracking and NAT maps, as well as fixes for failing service connections, HostFirewall policy updates and many more.
Security Advisories
This release addresses following security vulnerabilities:
Summary of Changes
Minor Changes:
Bugfixes:
agent-not-ready
taint too early if the primary network is slow in deploying. (Backport PR #32251, Upstream PR #32168, @squeed)CI Changes:
Misc Changes:
81811f8
(v1.14) (#31995, @renovate[bot])Other Changes:
v1.14.10
: 1.14.10Compare Source
We are pleased to announce the release of Cilium v1.14.10.
This release includes hubble metrics when using
cilium sysdump
, and a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers.Security Advisories
This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm
Summary of Changes
Minor Changes:
Bugfixes:
cilium-health-ep
controller (Backport PR #31724, Upstream PR #31622, @gandro)Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31656, Upstream PR #31380, @marseel)
CI Changes:
Misc Changes:
f41b84c
(v1.14) (#31748, @renovate[bot])No node ID found
drops in case of remote node deletion (Backport PR #31724, Upstream PR #31635, @pchaigno)Other Changes:
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.10@​sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
quay.io/cilium/cilium:v1.14.10@​sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.10@​sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798
quay.io/cilium/clustermesh-apiserver:v1.14.10@​sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798
docker-plugin
docker.io/cilium/docker-plugin:v1.14.10@​sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda
quay.io/cilium/docker-plugin:v1.14.10@​sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda
hubble-relay
docker.io/cilium/hubble-relay:v1.14.10@​sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0
quay.io/cilium/hubble-relay:v1.14.10@​sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.10@​sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14
quay.io/cilium/operator-alibabacloud:v1.14.10@​sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14
operator-aws
docker.io/cilium/operator-aws:v1.14.10@​sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6
quay.io/cilium/operator-aws:v1.14.10@​sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6
operator-azure
docker.io/cilium/operator-azure:v1.14.10@​sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4
quay.io/cilium/operator-azure:v1.14.10@​sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4
operator-generic
docker.io/cilium/operator-generic:v1.14.10@​sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909
quay.io/cilium/operator-generic:v1.14.10@​sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909
operator
docker.io/cilium/operator:v1.14.10@​sha256:20cadfbc68b37766b5747ca21f1cbfe8dec518c26232852f6c655f76999a8f92
quay.io/cilium/operator:v1.14.10@​sha256:20cadfbc68b37766b5747ca21f1cbfe8dec518c26232852f6c655f76999a8f92
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.