Update module github.com/crossplane/crossplane-runtime to v0.16.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/crossplane/crossplane-runtime	require	minor	v0.15.1 -> v0.16.1

• PR contains the label that identifies the area, one of: area:operator, area:chart
• If the PR is targeting a Helm chart, add the chart label, e.g. chart:provider-postgresql

GitHub Vulnerability Alerts

CVE-2023-27483

Summary

Fuzz testing on crossplane/crossplane, by Ada Logics and sponsored by the CNCF, identified input to a function in the fieldpath package that can cause an out of memory panic. Applications that use the Paved type's SetValue method with user provided input without proper validation might use excessive amounts of memory and cause an out of memory panic.

Details

In the fieldpath package, the SetValue method of the Paved type sets a value on the inner object according to the provided path, without validating it first. This allows setting values in slices at any specific index and the code will grow the target array up to the required size. The index is currently capped at max uint32 (4294967295) given how indexes are parsed, but that is still an unnecessarily large value.

Workaround

Users can parse and validate the path before passing it to the SetValue method of the Paved type, constraining the index size as deemed appropriate.

Credits

Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.

---

Release Notes

crossplane/crossplane-runtime (github.com/crossplane/crossplane-runtime)

v0.16.1

Compare Source

Security

Addresses a vulnerability in the fieldpath package.

What's Changed

• [Backport release-0.16] Max index value validation by @​phisco in https://github.com/crossplane/crossplane-runtime/pull/391

Full Changelog: crossplane/crossplane-runtime@v0.16.0...v0.16.1

v0.16.0

Compare Source

This is a regular release of crossplane-runtime ahead of the Crossplane v0.18.0 release. The main focus of features and commits in this release are for support of external secret stores, webhooks, and exposing configuration options for controllers. These have already been consumed in core Crossplane as pre-release, but will be consumed from this official release going forward in v0.18.0.

What's Changed

• Update dependencies by @​muvaf in https://github.com/crossplane/crossplane-runtime/pull/284
• Account for two different kinds of consistency issues by @​negz in https://github.com/crossplane/crossplane-runtime/pull/283
• Add backport workflow by @​negz in https://github.com/crossplane/crossplane-runtime/pull/286
• Add commands Github workflow by @​negz in https://github.com/crossplane/crossplane-runtime/pull/287
• Add an errors package with a similar API to github.com/pkg/errors by @​negz in https://github.com/crossplane/crossplane-runtime/pull/291
• Set Creating and Deleting conditions close to Status().Update() calls by @​negz in https://github.com/crossplane/crossplane-runtime/pull/292
• Add a controller.Options type by @​negz in https://github.com/crossplane/crossplane-runtime/pull/293
• managed: make finalizer name string public by @​muvaf in https://github.com/crossplane/crossplane-runtime/pull/295
• Add wildcard expand method to fieldpath.Paved by @​turkenh in https://github.com/crossplane/crossplane-runtime/pull/297
• Plumb up reconciler contexts by @​negz in https://github.com/crossplane/crossplane-runtime/pull/298
• Support true global reconcile rate limiting by @​negz in https://github.com/crossplane/crossplane-runtime/pull/294
• Only attempt object scheme parsing if object is not registered in meta by @​hasheddan in https://github.com/crossplane/crossplane-runtime/pull/300
• add NewNopFinalizer() by @​fahedouch in https://github.com/crossplane/crossplane-runtime/pull/303
• Add Disconnect call in Reconcile by @​vaspahomov in https://github.com/crossplane/crossplane-runtime/pull/296
• Tweak ExternalDisconnecter implementation by @​negz in https://github.com/crossplane/crossplane-runtime/pull/306
• Update Go to 1.17 and k8s libraries to 1.23 by @​muvaf in https://github.com/crossplane/crossplane-runtime/pull/308
• Add connection package for External Secret Store support by @​turkenh in https://github.com/crossplane/crossplane-runtime/pull/321
• Add Vault as an External Secret Store by @​turkenh in https://github.com/crossplane/crossplane-runtime/pull/322
• package.parser: make Or linter work with arbitrary number of linters by @​muvaf in https://github.com/crossplane/crossplane-runtime/pull/324
• External Secret Support in Composition Types by @​turkenh in https://github.com/crossplane/crossplane-runtime/pull/323
• Fixes and Improvements with Vault KV Client by @​turkenh in https://github.com/crossplane/crossplane-runtime/pull/325
• owners: add turkenh as maintainer by @​muvaf in https://github.com/crossplane/crossplane-runtime/pull/329
• Add validator and mutator chain executors to be used by provider webhooks by @​muvaf in https://github.com/crossplane/crossplane-runtime/pull/326

New Contributors

• @​fahedouch made their first contribution in https://github.com/crossplane/crossplane-runtime/pull/303
• @​vaspahomov made their first contribution in https://github.com/crossplane/crossplane-runtime/pull/296

Full Changelog: crossplane/crossplane-runtime@v0.15.0...v0.16.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.