fix(deps): update module github.com/cilium/cilium to v1.14.16 [security] #1844
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.14.12
->v1.14.16
GitHub Vulnerability Alerts
CVE-2024-42488
Impact
A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.
Patches
This issue was fixed in https://github.com/cilium/cilium/pull/33511.
This issue affects:
This issue has been patched in:
Workarounds
As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.
Acknowledgements
The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @skmatti for raising and resolving this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
CVE-2024-47825
Impact
A policy rule denying a prefix that is broader than /32 may be ignored if there is
CIDRSet
ortoFQDN
) andenableDefaultDeny: false
or- toEntities: all
Note that a rule specifying
toEntities: world
ortoEntities: 0.0.0.0/0
is insufficient, it must be to entityall
.As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:
Patches
This issue affects:
This issue has been patched in:
Workarounds
Users with policies using
enableDefaultDeny: false
can work around this issue by removing this configuration option and explicitly defining any allow rules required.No workaround is available to users with egress policies that explicitly specify
toEntities: all
.Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @squeed, @christarazi, and @jrajahalme for their work in triaging and resolving this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated with top priority.
Release Notes
cilium/cilium (github.com/cilium/cilium)
v1.14.16
: 1.14.16Compare Source
Summary of Changes
Bugfixes:
CI Changes:
Misc Changes:
ddad330
(v1.14) (#35093, @cilium-renovate[bot])Other Changes:
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.16@​sha256:8a31c16a4b3fcd0fbfdbfe3348710bfb766a5bcc8225ee5c4057d3a7cbcbafb2
quay.io/cilium/cilium:v1.14.16@​sha256:8a31c16a4b3fcd0fbfdbfe3348710bfb766a5bcc8225ee5c4057d3a7cbcbafb2
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.16@​sha256:19c1318e555d8ee9dbec9d86fe8e7e6c43a2dd7eeb29eb88ea7af28d21971186
quay.io/cilium/clustermesh-apiserver:v1.14.16@​sha256:19c1318e555d8ee9dbec9d86fe8e7e6c43a2dd7eeb29eb88ea7af28d21971186
docker-plugin
docker.io/cilium/docker-plugin:v1.14.16@​sha256:ccb1aee7af60693fe434924b0bbbb0a625382335ca2767d485a0bc855df5943d
quay.io/cilium/docker-plugin:v1.14.16@​sha256:ccb1aee7af60693fe434924b0bbbb0a625382335ca2767d485a0bc855df5943d
hubble-relay
docker.io/cilium/hubble-relay:v1.14.16@​sha256:ba715eaa50036c45ac39b2e4d08ee1794ac8dbfe6af339c48dba1402416da8f9
quay.io/cilium/hubble-relay:v1.14.16@​sha256:ba715eaa50036c45ac39b2e4d08ee1794ac8dbfe6af339c48dba1402416da8f9
kvstoremesh
docker.io/cilium/kvstoremesh:v1.14.16@​sha256:c22860631b97e671d08a21524da5283322ec6b7750760e78df5718169a987fa0
quay.io/cilium/kvstoremesh:v1.14.16@​sha256:c22860631b97e671d08a21524da5283322ec6b7750760e78df5718169a987fa0
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.16@​sha256:a647eae904c9210c3fa566a540c28bc6de525a92fd5049de1a3331c0b224d8b7
quay.io/cilium/operator-alibabacloud:v1.14.16@​sha256:a647eae904c9210c3fa566a540c28bc6de525a92fd5049de1a3331c0b224d8b7
operator-aws
docker.io/cilium/operator-aws:v1.14.16@​sha256:013da30c41a2ca04c56b3b4b51ebda57bac2aec8a0107031e445d636e913dca1
quay.io/cilium/operator-aws:v1.14.16@​sha256:013da30c41a2ca04c56b3b4b51ebda57bac2aec8a0107031e445d636e913dca1
operator-azure
docker.io/cilium/operator-azure:v1.14.16@​sha256:91b811091e98456543b4b7569039213bef954881a079a9796481275430994448
quay.io/cilium/operator-azure:v1.14.16@​sha256:91b811091e98456543b4b7569039213bef954881a079a9796481275430994448
operator-generic
docker.io/cilium/operator-generic:v1.14.16@​sha256:21243c0dcbc3d505ddf661835fc9a6aa6393e439893cbfd86c20b381c709d2b8
quay.io/cilium/operator-generic:v1.14.16@​sha256:21243c0dcbc3d505ddf661835fc9a6aa6393e439893cbfd86c20b381c709d2b8
operator
docker.io/cilium/operator:v1.14.16@​sha256:d5f68e5238d9fa608537f05abfa1296c188715439329128a9f78a7d0f6c078ef
quay.io/cilium/operator:v1.14.16@​sha256:d5f68e5238d9fa608537f05abfa1296c188715439329128a9f78a7d0f6c078ef
v1.14.15
: 1.14.15Compare Source
We are happy to release Cilium v1.14.15!
This release brings us upstream filter chains for L7 LB policy enforcement, bugfixes, CI fixes and many many more! See summary of changes below!
Summary of Changes
Minor Changes:
Bugfixes:
CI Changes:
Misc Changes:
4594271
(v1.14) (#34901, @cilium-renovate[bot])adbb901
(v1.14) (#34697, @cilium-renovate[bot])Other Changes:
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.15@​sha256:9a7977e8a685ac8ef8477c6be76a10d2aabf680bfe13916fa8ba7fec4429705d
quay.io/cilium/cilium:v1.14.15@​sha256:9a7977e8a685ac8ef8477c6be76a10d2aabf680bfe13916fa8ba7fec4429705d
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.15@​sha256:1254404bd6a9c9cd0702727f5fe9bf26477a3dac3fa6cb144a57c84b328d079b
quay.io/cilium/clustermesh-apiserver:v1.14.15@​sha256:1254404bd6a9c9cd0702727f5fe9bf26477a3dac3fa6cb144a57c84b328d079b
docker-plugin
docker.io/cilium/docker-plugin:v1.14.15@​sha256:5d123a4fd747b42a5ea3153930b23b93b0803ea881a6dbac26531deeb926cb9f
quay.io/cilium/docker-plugin:v1.14.15@​sha256:5d123a4fd747b42a5ea3153930b23b93b0803ea881a6dbac26531deeb926cb9f
hubble-relay
docker.io/cilium/hubble-relay:v1.14.15@​sha256:f104b07f38d0fa206bc41d5bd7a02ea42e32b18de7022f8401492bad35bbedc7
quay.io/cilium/hubble-relay:v1.14.15@​sha256:f104b07f38d0fa206bc41d5bd7a02ea42e32b18de7022f8401492bad35bbedc7
kvstoremesh
docker.io/cilium/kvstoremesh:v1.14.15@​sha256:93d81162805edf7145a9b6f2b22790c51a730f439f7644399d55cfc083c665e0
quay.io/cilium/kvstoremesh:v1.14.15@​sha256:93d81162805edf7145a9b6f2b22790c51a730f439f7644399d55cfc083c665e0
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.15@​sha256:db526ebf79874a0376c37fa987a820ff572a5a9b9c23697c393ab5d8721a20dd
quay.io/cilium/operator-alibabacloud:v1.14.15@​sha256:db526ebf79874a0376c37fa987a820ff572a5a9b9c23697c393ab5d8721a20dd
operator-aws
docker.io/cilium/operator-aws:v1.14.15@​sha256:e17ee0a65edf75f13e9fb380ef2dc4c80096d8a08581f8b8a65386e35589a175
quay.io/cilium/operator-aws:v1.14.15@​sha256:e17ee0a65edf75f13e9fb380ef2dc4c80096d8a08581f8b8a65386e35589a175
operator-azure
docker.io/cilium/operator-azure:v1.14.15@​sha256:e4ce4f4bce9431493efc59aba38277dd831836c3112af34e48e97c3d6bf4d668
quay.io/cilium/operator-azure:v1.14.15@​sha256:e4ce4f4bce9431493efc59aba38277dd831836c3112af34e48e97c3d6bf4d668
operator-generic
docker.io/cilium/operator-generic:v1.14.15@​sha256:233c4ab72cd6a06e8b4c8bed4991d625df8389e6225b27bc72f088c10036b870
quay.io/cilium/operator-generic:v1.14.15@​sha256:233c4ab72cd6a06e8b4c8bed4991d625df8389e6225b27bc72f088c10036b870
operator
docker.io/cilium/operator:v1.14.15@​sha256:064d2449a4ceaaf8bab2f14fb49544061bb4a9d508d78ea3596b3be03c20b82f
quay.io/cilium/operator:v1.14.15@​sha256:064d2449a4ceaaf8bab2f14fb49544061bb4a9d508d78ea3596b3be03c20b82f
v1.14.14
: 1.14.14Compare Source
Security Advisories
This release addresses GHSA-q7w8-72mr-vpgw.
Summary of Changes
Bugfixes:
CI Changes:
Misc Changes:
Other Changes:
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.14@​sha256:43d664501afbf35496e494dae0c5a7f8680a51ed9084997bea9c64bf4451a637
quay.io/cilium/cilium:v1.14.14@​sha256:43d664501afbf35496e494dae0c5a7f8680a51ed9084997bea9c64bf4451a637
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.14@​sha256:43171d3f988ffa7b5ef58b7f329bab77a5382c620b56ed9a64909e4358174135
quay.io/cilium/clustermesh-apiserver:v1.14.14@​sha256:43171d3f988ffa7b5ef58b7f329bab77a5382c620b56ed9a64909e4358174135
docker-plugin
docker.io/cilium/docker-plugin:v1.14.14@​sha256:8f4722b3fc3b64438065eeb8d4a003f8166032bf2bc1bad0480495cd7f9feef2
quay.io/cilium/docker-plugin:v1.14.14@​sha256:8f4722b3fc3b64438065eeb8d4a003f8166032bf2bc1bad0480495cd7f9feef2
hubble-relay
docker.io/cilium/hubble-relay:v1.14.14@​sha256:6fdad9d7ce64efbb966745005a2060223d9677cc4407177171b865691ab00aac
quay.io/cilium/hubble-relay:v1.14.14@​sha256:6fdad9d7ce64efbb966745005a2060223d9677cc4407177171b865691ab00aac
kvstoremesh
docker.io/cilium/kvstoremesh:v1.14.14@​sha256:ac7b4ddc38abfa0a27a503c7453dc8a8d4b3b1b1e785b02fda3ccbe613987c41
quay.io/cilium/kvstoremesh:v1.14.14@​sha256:ac7b4ddc38abfa0a27a503c7453dc8a8d4b3b1b1e785b02fda3ccbe613987c41
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.14@​sha256:2a88642e1c76548a0c4d8e8fe2facaed5f6955040bdd4729a6d1090eafde5e49
quay.io/cilium/operator-alibabacloud:v1.14.14@​sha256:2a88642e1c76548a0c4d8e8fe2facaed5f6955040bdd4729a6d1090eafde5e49
operator-aws
docker.io/cilium/operator-aws:v1.14.14@​sha256:adb1ea6a98b2715c5bed74ba4ab9fab89f6862aff462a5a05acd0d8c39d3af80
quay.io/cilium/operator-aws:v1.14.14@​sha256:adb1ea6a98b2715c5bed74ba4ab9fab89f6862aff462a5a05acd0d8c39d3af80
operator-azure
docker.io/cilium/operator-azure:v1.14.14@​sha256:4a88010d124b70ca1b1df90e0ca40bd79a99e344f72bfc821b9ef490421d0f51
quay.io/cilium/operator-azure:v1.14.14@​sha256:4a88010d124b70ca1b1df90e0ca40bd79a99e344f72bfc821b9ef490421d0f51
operator-generic
docker.io/cilium/operator-generic:v1.14.14@​sha256:0f2c8178bd20189fc9aeaa71224e6becdf71b42642209610b57390f7b798aae2
quay.io/cilium/operator-generic:v1.14.14@​sha256:0f2c8178bd20189fc9aeaa71224e6becdf71b42642209610b57390f7b798aae2
operator
docker.io/cilium/operator:v1.14.14@​sha256:8d1445bb129ccc56e6f2410369e0c9bacbb3ae9b7fde522c76734f01005e9ded
quay.io/cilium/operator:v1.14.14@​sha256:8d1445bb129ccc56e6f2410369e0c9bacbb3ae9b7fde522c76734f01005e9ded
v1.14.13
: 1.14.13Compare Source
Summary of Changes
We are pleased to release Cilium v1.14.13, which includes and updated Hubble UI, as well as stability and bug fixes. Thanks to all contributors, reviewers, testers, and users!
Minor Changes:
Bugfixes:
CI Changes:
Misc Changes:
511e3d9
(v1.14) (#33215, @cilium-renovate[bot])2eb85b8
(v1.14) (#33178, @cilium-renovate[bot])b405b62
(v1.14) (#33339, @cilium-renovate[bot])Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.