You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[!NOTE]
This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.
Bug fixes
Backport 11 Coder Agents docs PRs to release/2.33 (#25047, d622e86)
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
Affected range
<1.25.10
Fixed version
1.25.10
Description
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
Affected range
<1.25.10
Fixed version
1.25.10
Description
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Affected range
<1.25.10
Fixed version
1.25.10
Description
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Affected range
<1.25.10
Fixed version
1.25.10
Description
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
Affected range
<1.25.10
Fixed version
1.25.10
Description
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.
Affected range
<1.25.10
Fixed version
1.25.10
Description
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
Affected range
<1.25.10
Fixed version
1.25.10
Description
ReverseProxy can forward queries containing parameters not visible to Rewrite functions.
When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.
For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
github.com/u-root/u-root0.14.0 (golang)
pkg:golang/github.com/u-root/u-root@0.14.0
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<=v7.0.0
Fixed version
Not Fixed
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.346%
EPSS Percentile
57th percentile
Description
This affects all versions of package github.com/u-root/u-root/pkg/tarutil. It is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<=7.0.0
Fixed version
Not Fixed
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.149%
EPSS Percentile
35th percentile
Description
This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
>=0
Fixed version
Not Fixed
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.483%
EPSS Percentile
65th percentile
Description
The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion 0.0.0-20230922105210-14b16010c2ee, which corresponds with commit 14b16010c2ee7ff33a940a541d993bd043a88940, parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability. To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go file on the line 69 when the parser tries to access the element past its length. This can result in a denial of service. Commit 14b16010c2ee7ff33a940a541d993bd043a88940/pseudoversion 0.0.0-20230922105210-14b16010c2ee contains a patch for this issue.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
nicholasdille-bot
left a comment
This PR contains the following updates:
2.33.1→2.33.2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
coder/coder (coder)
v2.33.2Compare Source
Changelog
Bug fixes
d622e86)Compare:
v2.33.1...v2.33.2Container image
docker pull ghcr.io/coder/coder:2.33.2Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
Configuration
📅 Schedule: (in timezone Europe/Berlin)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.