Skip to content

chore(deps): update kro to v0.9.2#21721

Open
uniget-bot wants to merge 1 commit intomainfrom
renovate/kro-0.9.x
Open

chore(deps): update kro to v0.9.2#21721
uniget-bot wants to merge 1 commit intomainfrom
renovate/kro-0.9.x

Conversation

@uniget-bot
Copy link
Copy Markdown

@uniget-bot uniget-bot commented May 9, 2026

This PR contains the following updates:

Package Update Change
kro patch 0.9.10.9.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

kubernetes-sigs/kro (kro)

v0.9.2

Compare Source

What's Changed

New Contributors

Full Changelog: kubernetes-sigs/kro@v0.9.1...v0.9.2

Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

nicholasdille-bot
nicholasdille-bot approved these changes May 9, 2026
View reviewed changes
Copy link
Copy Markdown

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 9, 2026

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/kro:0.9.2

📦 Image Reference ghcr.io/uniget-org/tools/kro:0.9.2
digestsha256:8e03777f3b0ca311ba852d5d2fa29066316972907c0cc8108dbdf09d56af5061
vulnerabilitiescritical: 0 high: 2 medium: 0 low: 0
platformlinux/amd64
size29 MB
packages82
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/net 0.47.0 (golang)

pkg:golang/golang.org/x/net@0.47.0

high : CVE--2026--33814

Affected range<0.53.0
Fixed version0.53.0
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

critical: 0 high: 1 medium: 0 low: 0 go.opentelemetry.io/otel 1.36.0 (golang)

pkg:golang/go.opentelemetry.io/otel@1.36.0

high 7.5: CVE--2026--29181 Uncontrolled Resource Consumption

Affected range>=1.36.0
<=1.40.0
Fixed version1.41.0
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.052%
EPSS Percentile16th percentile
Description

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links

vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)
attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

  • canonical: per_req_alloc_bytes=10315458 and p95_ms=7
  • control: per_req_alloc_bytes=133429 and p95_ms=0

proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.
actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip
PR_DESCRIPTION.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicholasdille-bot nicholasdille-bot nicholasdille-bot approved these changes

Assignees

No one assigned

Labels

bump/patch type/renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@uniget-bot @nicholasdille-bot @renovate-bot