chore(deps): update dependency kubernetes/kubernetes to v1.28.3

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
kubernetes/kubernetes	patch	1.28.2 -> 1.28.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

kubernetes/kubernetes (kubernetes/kubernetes)

v1.28.3: Kubernetes v1.28.3

Compare Source

See kubernetes-announce@. Additional binary downloads are linked in the CHANGELOG.

See the CHANGELOG for more details.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/kubelet:1.28.3

📦 Image Reference ghcr.io/uniget-org/tools/kubelet:1.28.3

digest	sha256:3023bc88d7776a7ef61d7dc9dab360711d19a7757fe63d1d1f3ddd2c5445b131
vulnerabilities
platform	linux/amd64
size	30 MB
packages	160

go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 0.35.1 (golang) pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@0.35.1 Allocation of Resources Without Limits or Throttling Affected range <0.44.0 Fixed version 0.44.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Summary OpenTelemetry-Go Contrib has a handler wrapper otelhttp that adds the following labels by deafult that have unbound cardinality: http.user_agent http.method This leads to the server's potential memory exhaustion when many malicious requests are sent to it. Details HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent. This pull request released with version 0.44.0 dixes this vulnerability The values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. Impact In order to be affected program has to use otelhttp.NewHandler wrapper and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Others This vulnerability is similar but different from these known vulnerabilities: GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib) GHSA-cg3q-j54f-5p7p (prometheus/client_golang) Workaround for affected versions As a workaround, otelhttp.WithFilter() can be used instead, but it requires manual careful configuration to not log certain requests entirely.

go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful 0.35.0 (golang) pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@0.35.0 Allocation of Resources Without Limits or Throttling Affected range <0.44.0 Fixed version 0.44.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Summary OpenTelemetry-Go Contrib has a handler wrapper otelhttp that adds the following labels by deafult that have unbound cardinality: http.user_agent http.method This leads to the server's potential memory exhaustion when many malicious requests are sent to it. Details HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent. This pull request released with version 0.44.0 dixes this vulnerability The values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. Impact In order to be affected program has to use otelhttp.NewHandler wrapper and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Others This vulnerability is similar but different from these known vulnerabilities: GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib) GHSA-cg3q-j54f-5p7p (prometheus/client_golang) Workaround for affected versions As a workaround, otelhttp.WithFilter() can be used instead, but it requires manual careful configuration to not log certain requests entirely.

github.com/cyphar/filepath-securejoin 0.2.3 (golang) pkg:golang/github.com/cyphar/filepath-securejoin@0.2.3 Affected range <0.2.4 Fixed version 0.2.4 Description Impact For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs. It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue. Thanks to @pjbgf for discovering, debugging, and fixing this issue (as well as writing some tests for it). Patches c121231e1276e11049547bee5ce68d5a2cfe2d9b is the patch fixing this issue. v0.2.4 contains the fix. Workarounds Users could use filepath.FromSlash() on all unsafe paths before passing them to filepath-securejoin. References See #9. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range Fixed version v0.2.4 Description Impact For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs. It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue. Thanks to @pjbgf for discovering, debugging, and fixing this issue (as well as writing some tests for it). Patches c121231e1276e11049547bee5ce68d5a2cfe2d9b is the patch fixing this issue. v0.2.4 contains the fix. Workarounds Users could use filepath.FromSlash() on all unsafe paths before passing them to filepath-securejoin. References See #9.

k8s.io/kubernetes 1.28.3 (golang) pkg:golang/k8s.io/kubernetes@1.28.3 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range >1.16 Fixed version 1.16 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Description Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/6563952894.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/6563952894.