You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.
ESM
To support new versions of the @actions/* packages, we've upgraded the package to ESM.
We updated all dependency packages to latest versions to fix reported security vulnerabilities.
What's Changed
Fix: For workflow_run events, resolve the commit of the check run from related pull request head commits first (matching workflow_run.head_branch, then first PR), and fall back to workflow_run.head_sha for non-PR runs #673
Change: The test-reporter action will listed all artifacts associated with the build run #693
Microsoft is releasing this security advisory to provide information about a vulnerability in System.Security.Cryptography.Xml. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in EncryptedXml class where an attacker can cause an infinite loop and perform a Denial of Service attack.
Once you have updated the nuget package reference you must recompile and deploy your application. Additionally we recommend you update your runtime and/or SDKs, but it is not necessary to patch the vulnerability.
Other Information
Reporting Security Issues
If you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the MSRC Researcher Portal. Further information can be found in the MSRC Report an Issue FAQ.
Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Microsoft is releasing this security advisory to provide information about a vulnerability in System.Security.Cryptography.Xml. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in EncryptedXml class where uncontrolled resource consumption can give an attacker to the ability to perform a Denial of Service attack.
Once you have updated the nuget package reference you must recompile and deploy your application. Additionally we recommend you update your runtime and/or SDKs, but it is not necessary to patch the vulnerability.
Other Information
Reporting Security Issues
If you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the MSRC Researcher Portal. Further information can be found in the MSRC Report an Issue FAQ.
Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.
Affected range
>=0
Fixed version
Not Fixed
EPSS Score
0.050%
EPSS Percentile
16th percentile
Description
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.
Affected range
>=0
Fixed version
Not Fixed
EPSS Score
0.044%
EPSS Percentile
13th percentile
Description
The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.
A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.
Affected range
>=0
Fixed version
Not Fixed
EPSS Score
0.081%
EPSS Percentile
24th percentile
Description
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.
It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.
Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.
util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.
shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
Bot
force-pushed
the
renovate/major-github-actions
branch
from
This PR contains the following updates:
v6→v7v3→v4v3→v4v1→v3v2.5.0→v3v3→v4v2→v3.0.4Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
actions/upload-artifact (actions/upload-artifact)
v7.0.1Compare Source
What's Changed
Full Changelog: actions/upload-artifact@v7...v7.0.1
v7.0.0Compare Source
v7 What's new
Direct Uploads
Adds support for uploading single files directly (unzipped). Callers can set the new
archiveparameter tofalseto skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. Thenameparameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.ESM
To support new versions of the
@actions/*packages, we've upgraded the package to ESM.What's Changed
New Contributors
Full Changelog: actions/upload-artifact@v6...v7.0.0
v7Compare Source
docker/login-action (docker/login-action)
v4.1.0Compare Source
Full Changelog: docker/login-action@v4.0.0...v4.1.0
v4.0.0Compare Source
Full Changelog: docker/login-action@v3.7.0...v4.0.0
v4Compare Source
v3.7.0Compare Source
scopeinput to set scopes for the authentication token by @crazy-max in #912registry-authinput by @crazy-max in #911Full Changelog: docker/login-action@v3.6.0...v3.7.0
v3.6.0Compare Source
registry-authinput for raw authentication to registries by @crazy-max in #887Full Changelog: docker/login-action@v3.5.0...v3.6.0
v3.5.0Compare Source
Full Changelog: docker/login-action@v3.4.0...v3.5.0
v3.4.0Compare Source
Full Changelog: docker/login-action@v3.3.0...v3.4.0
v3.3.0Compare Source
Full Changelog: docker/login-action@v3.2.0...v3.3.0
v3.2.0Compare Source
Full Changelog: docker/login-action@v3.1.0...v3.2.0
v3.1.0Compare Source
Full Changelog: docker/login-action@v3.0.0...v3.1.0
docker/setup-buildx-action (docker/setup-buildx-action)
v4Compare Source
v4.0.0Compare Source
Full Changelog: docker/setup-buildx-action@v3.12.0...v4.0.0
v3.12.0Compare Source
installinput by @crazy-max in #455Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0
v3.11.1Compare Source
keep-statenot being respected by @crazy-max in #429Full Changelog: docker/setup-buildx-action@v3.11.0...v3.11.1
v3.11.0Compare Source
Full Changelog: docker/setup-buildx-action@v3.10.0...v3.11.0
v3.10.0Compare Source
Full Changelog: docker/setup-buildx-action@v3.9.0...v3.10.0
v3.9.0Compare Source
Full Changelog: docker/setup-buildx-action@v3.8.0...v3.9.0
v3.8.0Compare Source
Full Changelog: docker/setup-buildx-action@v3.7.1...v3.8.0
v3.7.1Compare Source
uuidpackage by @crazy-max in #369Full Changelog: docker/setup-buildx-action@v3.7.0...v3.7.1
v3.7.0Compare Source
buildkitd-flagsif opt-in by @crazy-max in #363uuidpackage and switch tocryptoby @crazy-max in #366Full Changelog: docker/setup-buildx-action@v3.6.1...v3.7.0
v3.6.1Compare Source
Full Changelog: docker/setup-buildx-action@v3.6.0...v3.6.1
v3.6.0Compare Source
Full Changelog: docker/setup-buildx-action@v3.5.0...v3.6.0
v3.5.0Compare Source
Full Changelog: docker/setup-buildx-action@v3.4.0...v3.5.0
v3.4.0Compare Source
Full Changelog: docker/setup-buildx-action@v3.3.0...v3.4.0
v3.3.0Compare Source
Full Changelog: docker/setup-buildx-action@v3.2.0...v3.3.0
v3.2.0Compare Source
configtobuildkitd-configconfig-inlinetobuildkitd-config-inlineFull Changelog: docker/setup-buildx-action@v3.1.0...v3.2.0
v3.1.0Compare Source
cache-binaryinput to enable/disable caching binary to GHA cache backend by @crazy-max in #300Full Changelog: docker/setup-buildx-action@v3.0.0...v3.1.0
dorny/test-reporter (dorny/test-reporter)
v3Compare Source
v3.0.0Compare Source
Note: The v3 release requires NodeJS 24 runtime on GitHub Actions runners.
What's Changed
Other Changes
New Contributors
Full Changelog: dorny/test-reporter@v2.7.0...v3.0.0
v2.7.0Compare Source
What's Changed
slug-prefixoutput for link anchors #731jest-junittestsuite errors as failures #155Other Changes
flattedpackage to v3.4.1 to fix a vulnerability by @jozefizso in #739New Contributors
Full Changelog: dorny/test-reporter@v2.6.0...v2.7.0
v2.6.0Compare Source
We updated all dependency packages to latest versions to fix reported security vulnerabilities.
What's Changed
workflow_runevents, resolve the commit of the check run from related pull request head commits first (matchingworkflow_run.head_branch, then first PR), and fall back toworkflow_run.head_shafor non-PR runs #673test-reporteraction will listed all artifacts associated with the build run #693New Contributors
Full Changelog: dorny/test-reporter@v2.5.0...v2.6.0
v2.5.0Compare Source
What's Changed
Features
Project maintanance
Full Changelog: dorny/test-reporter@v2.4.0...v2.5.0
v2.4.0Compare Source
What's Changed
String.substring()function by @jozefizso in #704New Contributors
Full Changelog: dorny/test-reporter@v2.3.0...v2.4.0
v2.3.0Compare Source
What's Changed
New Contributors
Full Changelog: dorny/test-reporter@v2.2.0...v2.3.0
v2.2.0Compare Source
v2.1.1Compare Source
A bug fix release of the
test-reporteraction.What's Changed
github-utils.tsby @jozefizso in #604New Contributors
Full Changelog: dorny/test-reporter@v2.1.0...v2.1.1
v2.1.0Compare Source
What's Changed
New Contributors
Full Changelog: dorny/test-reporter@v2.0.0...v2.1.0
v2.0.0Compare Source
What's Changed
v2.0.0-previewby @jozefizso in #449@types/github-sluggerby @jozefizso in #524v1branch tomainby @jozefizso in #525New Contributors
Full Changelog: dorny/test-reporter@v1.9.1...v2.0.0
v2Compare Source
v1.9.1Compare Source
What's Changed
New Contributors
Full Changelog: dorny/test-reporter@v1.9.0...v1.9.1
v1.9.0Compare Source
What's Changed
Features
rspec-jsonformat #398Contributors
Full Changelog: dorny/test-reporter@v1.8.0...v1.9.0
v1.9Compare Source
v1.8.0Compare Source
What's Changed
SwiftXunitParserclass based onJavaJunitParserforswift-xunitreporter by @jozefizso in #317test-reporterrelease v1.8.0 by @jozefizso in #370New Contributors
Full Changelog: dorny/test-reporter@v1.7.0...v1.8.0
v1.7.0Compare Source
What's Changed
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.