Skip to content

Commit bb8df2f

Browse files
andrii-codefreshandrii-codefresh
authored
fix: security fixes (#1157) (#1158)
* fix: security fixes codefresh-gitops-operator CVE-2026-33186 CVE-2026-31892 CVE-2026-28229 cf-argocd-extras CVE-2026-33186 cap-app-proxy crypto/tls CVE-2025-68121 path-to-regexp CVE-2026-4867 node-forge CVE-2026-33896 CVE-2026-33895 CVE-2026-33894 CVE-2026-33891 picomatch CVE-2026-33671 CVE-2026-33672 gitops-runtime-installer (cli-v2) CVE-2026-33186 CVE-2026-24051 (cherry picked from commit bdce2fe)
1 parent 2804e15 commit bb8df2f

File tree

3 files changed

+15
-15
lines changed

3 files changed

+15
-15
lines changed

charts/gitops-runtime/README.md

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -494,13 +494,13 @@ global:
494494
| app-proxy.extraVolumeMounts | list | `[]` | Extra volume mounts for main container |
495495
| app-proxy.extraVolumes | list | `[]` | extra volumes |
496496
| app-proxy.fullnameOverride | string | `"cap-app-proxy"` | |
497-
| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.23-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.23-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.23-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration |
498-
| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.23-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.23-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.23-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow |
497+
| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.25-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.25-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration |
498+
| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.25-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.25-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow |
499499
| app-proxy.image-enrichment.config.clientHeartbeatIntervalInSeconds | int | `5` | Client heartbeat interval in seconds for image enrichemnt workflow |
500500
| app-proxy.image-enrichment.config.concurrencyCmKey | string | `"imageReportExecutor"` | The name of the key in the configmap to use as synchronization semaphore |
501501
| app-proxy.image-enrichment.config.concurrencyCmName | string | `"workflow-synchronization-semaphores"` | The name of the configmap to use as synchronization semaphore, see https://argoproj.github.io/argo-workflows/synchronization/ |
502-
| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.23-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.23-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.23-main"}}` | Enrichemnt images |
503-
| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.23-main"}` | Report image enrichment task image |
502+
| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.25-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.25-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}}` | Enrichemnt images |
503+
| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}` | Report image enrichment task image |
504504
| app-proxy.image-enrichment.config.podGcStrategy | string | `"OnWorkflowCompletion"` | Pod grabage collection strategy. By default all pods will be deleted when the enrichment workflow completes. |
505505
| app-proxy.image-enrichment.config.ttlActiveInSeconds | int | `900` | Maximum allowed runtime for the enrichment workflow |
506506
| app-proxy.image-enrichment.config.ttlAfterCompletionInSeconds | int | `86400` | Number of seconds to live after completion |
@@ -511,14 +511,14 @@ global:
511511
| app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use |
512512
| app-proxy.image.pullPolicy | string | `"IfNotPresent"` | |
513513
| app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | |
514-
| app-proxy.image.tag | string | `"1.4074.0"` | |
514+
| app-proxy.image.tag | string | `"1.4077.0"` | |
515515
| app-proxy.imagePullSecrets | list | `[]` | |
516516
| app-proxy.initContainer.command[0] | string | `"./init.sh"` | |
517517
| app-proxy.initContainer.env | object | `{}` | |
518518
| app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container |
519519
| app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | |
520520
| app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | |
521-
| app-proxy.initContainer.image.tag | string | `"1.4074.0"` | |
521+
| app-proxy.initContainer.image.tag | string | `"1.4077.0"` | |
522522
| app-proxy.initContainer.resources.limits | object | `{}` | |
523523
| app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | |
524524
| app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | |
@@ -589,7 +589,7 @@ global:
589589
| argo-cd.redis-ha.image.tag | string | `"8.2.2-alpine"` | Redis tag |
590590
| argo-cd.redis.image.repository | string | `"ecr-public.aws.com/docker/library/redis"` | Redis repository |
591591
| argo-cd.redis.image.tag | string | `"8.2.2-alpine"` | Redis tag |
592-
| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"7b43e16"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform |
592+
| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"9542ac9"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform |
593593
| argo-workflows.crds.install | bool | `true` | Install and upgrade CRDs |
594594
| argo-workflows.enabled | bool | `true` | |
595595
| argo-workflows.executor.resources.requests.ephemeral-storage | string | `"10Mi"` | |
@@ -651,7 +651,7 @@ global:
651651
| gitops-operator.env.<<[0].OTEL_TRACES_SAMPLER | string | `"parentbased_always_on"` | OTel sampler to be used for traces. Ref: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/ |
652652
| gitops-operator.env.GITOPS_OPERATOR_VERSION | string | `"0.11.1"` | |
653653
| gitops-operator.fullnameOverride | string | `""` | |
654-
| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"main-78571af"}` | GitOps operator image |
654+
| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"b9725cd"}` | GitOps operator image |
655655
| gitops-operator.imagePullSecrets | list | `[]` | |
656656
| gitops-operator.nameOverride | string | `""` | |
657657
| gitops-operator.nodeSelector | object | `{}` | |
@@ -681,7 +681,7 @@ global:
681681
| global.codefresh.userToken | object | `{"secretKeyRef":{},"token":""}` | User token. Used for runtime registration against the patform. One of token (for plain text value) or secretKeyRef must be provided. |
682682
| global.codefresh.userToken.secretKeyRef | object | `{}` | User token that references an existing secret containing the token. |
683683
| global.codefresh.userToken.token | string | `""` | User token in plain text. The chart creates and manages the secret for this token. |
684-
| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"7b43e16"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform |
684+
| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"9542ac9"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform |
685685
| global.httpProxy | string | `""` | global HTTP_PROXY for all components |
686686
| global.httpsProxy | string | `""` | global HTTPS_PROXY for all components |
687687
| global.imageRegistry | string | `""` | |

charts/gitops-runtime/values.yaml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -136,7 +136,7 @@ global:
136136
image:
137137
registry: quay.io
138138
repository: codefresh/cf-argocd-extras
139-
tag: 7b43e16
139+
tag: "3190219"
140140
nodeSelector: {}
141141
tolerations: []
142142
affinity: {}
@@ -459,14 +459,14 @@ app-proxy:
459459
tag: 1.1.25-main
460460
image:
461461
repository: quay.io/codefresh/cap-app-proxy
462-
tag: 1.4074.0
462+
tag: 1.4077.0
463463
pullPolicy: IfNotPresent
464464
# -- Extra volume mounts for main container
465465
extraVolumeMounts: []
466466
initContainer:
467467
image:
468468
repository: quay.io/codefresh/cap-app-proxy-init
469-
tag: 1.4074.0
469+
tag: 1.4077.0
470470
pullPolicy: IfNotPresent
471471
command:
472472
- ./init.sh
@@ -647,7 +647,7 @@ gitops-operator:
647647
image:
648648
registry: quay.io
649649
repository: codefresh/codefresh-gitops-operator
650-
tag: main-78571af
650+
tag: b9540c4
651651
env:
652652
!!merge <<:
653653
- *otel-config
@@ -679,7 +679,7 @@ argo-gateway:
679679
image:
680680
registry: quay.io
681681
repository: codefresh/cf-argocd-extras
682-
tag: 7b43e16
682+
tag: "3190219"
683683
nodeSelector: {}
684684
tolerations: []
685685
affinity: {}

installer-image/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
FROM octopusdeploy/dhi-golang:1.25-debian13-dev AS build
44
ARG TARGETARCH
5-
ARG CF_CLI_VERSION=v1.0.1
5+
ARG CF_CLI_VERSION=v1.0.2
66
RUN go install github.com/davidrjonas/semver-cli@latest \
77
&& cp $GOPATH/bin/semver-cli /tmp/semver-cli
88
ADD --unpack=true --chown=nonroot:nonroot --chmod=755 https://github.com/codefresh-io/cli-v2/releases/download/${CF_CLI_VERSION}/cf-linux-${TARGETARCH}.tar.gz /tmp/cf/

0 commit comments

Comments
 (0)