Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cloudflared/2024.12.1-r0: cve remediation #36983

Merged
merged 1 commit into from
Dec 13, 2024

cloudflared/2024.12.1-r0: fix GHSA-v778-237x-gjrc

20ea0f9
Select commit
Loading
Failed to load commit list.
Merged

cloudflared/2024.12.1-r0: cve remediation #36983

cloudflared/2024.12.1-r0: fix GHSA-v778-237x-gjrc
20ea0f9
Select commit
Loading
Failed to load commit list.
Octo STS / elastic-build succeeded Dec 13, 2024 in 2m 55s

APKs built successfully

Build ID: 24e0a846-bd4d-4c3d-85f7-111c4f0da7f1

Details

x86_64 Logs

Click to expand 
his property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: 30s)
   --proxy-no-happy-eyeballs --url                     HTTP proxy should disable "happy eyeballs" for IPv4/v6 fallback This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: false)
   --proxy-keepalive-connections --url                 HTTP proxy maximum keepalive connection pool size This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: 100)
   --proxy-keepalive-timeout --url                     HTTP proxy timeout for closing an idle connection This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: 1m30s)
   --proxy-connection-timeout value                    DEPRECATED. No longer has any effect. (default: 1m30s)
   --proxy-expect-continue-timeout value               DEPRECATED. No longer has any effect. (default: 1m30s)
   --http-host-header --url                            Sets the HTTP Host header for the local webserver. This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress [$TUNNEL_HTTP_HOST_HEADER]
   --origin-server-name --url                          Hostname on the origin server certificate. This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress [$TUNNEL_ORIGIN_SERVER_NAME]
   --unix-socket value                                 Path to unix socket to use instead of --url [$TUNNEL_UNIX_SOCKET]
   --origin-ca-pool --url                              Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress [$TUNNEL_ORIGIN_CA_POOL]
   --no-tls-verify --url                               Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Note: The connection from your machine to Cloudflare's Edge is still encrypted. This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: false) [$NO_TLS_VERIFY]
   --no-chunked-encoding --url                         Disables chunked transfer encoding; useful if you are running a WSGI server. This flag only takes effect if you define your origin with --url and if you do not use ingress rules. The recommended way is to rely on ingress rules and define this property under `originRequest` as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress (default: false) [$TUNNEL_NO_CHUNKED_ENCODING]
   --http2-origin                                      Enables HTTP/2 origin servers. (default: false) [$TUNNEL_ORIGIN_ENABLE_HTTP2]
   --bastion                                           Runs as jump host (default: false) [$TUNNEL_BASTION]
   --proxy-address value                               Listen address for the proxy. (default: "127.0.0.1") [$TUNNEL_PROXY_ADDRESS]
   --proxy-port value                                  Listen port for the proxy. (default: 0) [$TUNNEL_PROXY_PORT]
   --loglevel value                                    Application logging level {debug, info, warn, error, fatal}. At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. This can expose sensitive information in your logs. (default: "info") [$TUNNEL_LOGLEVEL]
   --transport-loglevel value, --proto-loglevel value  Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal} (default: "info") [$TUNNEL_PROTO_LOGLEVEL, $TUNNEL_TRANSPORT_LOGLEVEL]
   --logfile value                                     Save application log to this file for reporting issues. [$TUNNEL_LOGFILE]
   --log-directory value                               Save application log to this directory for reporting issues. [$TUNNEL_LOGDIRECTORY]
   --trace-output value                                Name of trace output file, generated when cloudflared stops. [$TUNNEL_TRACE_OUTPUT]
   --proxy-dns                                         Run a DNS over HTTPS proxy server. (default: false) [$TUNNEL_DNS]
   --proxy-dns-port value                              Listen on given port for the DNS over HTTPS proxy server. (default: 53) [$TUNNEL_DNS_PORT]
   --proxy-dns-address value                           Listen address for the DNS over HTTPS proxy server. (default: "localhost") [$TUNNEL_DNS_ADDRESS]
   --proxy-dns-upstream value                          Upstream endpoint URL, you can specify multiple endpoints for redundancy. (default: "https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query")  (accepts multiple inputs) [$TUNNEL_DNS_UPSTREAM]
   --proxy-dns-max-upstream-conns value                Maximum concurrent connections to upstream. Setting to 0 means unlimited. (default: 5) [$TUNNEL_DNS_MAX_UPSTREAM_CONNS]
   --proxy-dns-bootstrap value                         bootstrap endpoint URL, you can specify multiple endpoints for redundancy. (default: "https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query")  (accepts multiple inputs) [$TUNNEL_DNS_BOOTSTRAP]
   --credentials-file value, --cred-file value         Filepath at which to read/write the tunnel credentials [$TUNNEL_CRED_FILE]
   --region value                                      Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region. [$TUNNEL_REGION]
   --edge-ip-version value                             Cloudflare Edge IP address version to connect with. {4, 6, auto} (default: "4") [$TUNNEL_EDGE_IP_VERSION]
   --edge-bind-address value                           Bind to IP address for outgoing connections to Cloudflare Edge. [$TUNNEL_EDGE_BIND_ADDRESS]
   --hostname value                                    Set a hostname on a Cloudflare zone to route traffic through this tunnel. [$TUNNEL_HOSTNAME]
   --lb-pool value                                     The name of a (new/existing) load balancing pool to add this origin to. [$TUNNEL_LB_POOL]
   --metrics-update-freq value                         Frequency to update tunnel metrics (default: 5s) [$TUNNEL_METRICS_UPDATE_FREQ]
   --retries value                                     Maximum number of retries for connection/protocol errors. (default: 5) [$TUNNEL_RETRIES]
   --label value                                       Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.
   --grace-period value                                When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received. (default: 30s) [$TUNNEL_GRACE_PERIOD]
   --compression-quality value                         (beta) Use cross-stream compression instead HTTP compression. 0-off, 1-low, 2-medium, >=3-high. (default: 0) [$TUNNEL_COMPRESSION_LEVEL]
   --name value, -n value                              Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately [$TUNNEL_NAME]
   --post-quantum, --pq                                When given creates an experimental post-quantum secure tunnel (default: false) [$TUNNEL_POST_QUANTUM]
   --management-diagnostics                            Enables the in-depth diagnostic routes to be made available over the management service (/debug/pprof, /metrics, etc.) (default: true) [$TUNNEL_MANAGEMENT_DIAGNOSTICS]
   --overwrite-dns, -f                                 Overwrites existing DNS records with this hostname (default: false) [$TUNNEL_FORCE_PROVISIONING_DNS]
   --help, -h                                          show help (default: false)
   
running step "Test quick tunnel creation"
running step "start daemon on localhost"
daemon started as pid 56 with: cloudflared tunnel --url localhost:8080/
looking for 3 lines in output within 30 seconds

aarch64 Logs

Click to expand 
nfo msg="loading plugin" id=io.containerd.grpc.v1.events type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.230595109Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.images type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.230608109Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.introspection type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.230620229Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.leases type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.230640109Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.namespaces type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.230653109Z" level=info msg="loading plugin" id=io.containerd.sandbox.store.v1.local type=io.containerd.sandbox.store.v1
time="2024-12-13T21:20:42.230665349Z" level=info msg="loading plugin" id=io.containerd.cri.v1.images type=io.containerd.cri.v1
time="2024-12-13T21:20:42.230727309Z" level=info msg="Get image filesystem path \"/var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.overlayfs\" for snapshotter \"overlayfs\""
time="2024-12-13T21:20:42.230747629Z" level=info msg="Start snapshots syncer"
time="2024-12-13T21:20:42.230782069Z" level=info msg="loading plugin" id=io.containerd.cri.v1.runtime type=io.containerd.cri.v1
time="2024-12-13T21:20:42.230965189Z" level=info msg="starting cri plugin" config="{\"containerd\":{\"defaultRuntimeName\":\"runc\",\"runtimes\":{\"runc\":{\"runtimeType\":\"io.containerd.runc.v2\",\"runtimePath\":\"\",\"PodAnnotations\":null,\"ContainerAnnotations\":null,\"options\":{\"BinaryName\":\"\",\"CriuImagePath\":\"\",\"CriuWorkPath\":\"\",\"IoGid\":0,\"IoUid\":0,\"NoNewKeyring\":false,\"Root\":\"\",\"ShimCgroup\":\"\"},\"privileged_without_host_devices\":false,\"privileged_without_host_devices_all_devices_allowed\":false,\"baseRuntimeSpec\":\"\",\"cniConfDir\":\"\",\"cniMaxConfNum\":0,\"snapshotter\":\"\",\"sandboxer\":\"podsandbox\",\"io_type\":\"\"}},\"ignoreBlockIONotEnabledErrors\":false,\"ignoreRdtNotEnabledErrors\":false},\"cni\":{\"binDir\":\"/opt/cni/bin\",\"confDir\":\"/etc/cni/net.d\",\"maxConfNum\":1,\"setupSerially\":false,\"confTemplate\":\"\",\"ipPref\":\"\",\"useInternalLoopback\":false},\"enableSelinux\":false,\"selinuxCategoryRange\":1024,\"maxContainerLogSize\":16384,\"disableApparmor\":false,\"restrictOOMScoreAdj\":false,\"disableProcMount\":false,\"unsetSeccompProfile\":\"\",\"tolerateMissingHugetlbController\":true,\"disableHugetlbController\":true,\"device_ownership_from_security_context\":false,\"ignoreImageDefinedVolumes\":false,\"netnsMountsUnderStateDir\":false,\"enableUnprivilegedPorts\":true,\"enableUnprivilegedICMP\":true,\"enableCDI\":true,\"cdiSpecDirs\":[\"/etc/cdi\",\"/var/run/cdi\"],\"drainExecSyncIOTimeout\":\"0s\",\"ignoreDeprecationWarnings\":null,\"containerdRootDir\":\"/var/lib/docker/containerd/daemon\",\"containerdEndpoint\":\"/var/run/docker/containerd/containerd.sock\",\"rootDir\":\"/var/lib/docker/containerd/daemon/io.containerd.grpc.v1.cri\",\"stateDir\":\"/var/run/docker/containerd/daemon/io.containerd.grpc.v1.cri\"}"
time="2024-12-13T21:20:42.231021509Z" level=info msg="loading plugin" id=io.containerd.podsandbox.controller.v1.podsandbox type=io.containerd.podsandbox.controller.v1
time="2024-12-13T21:20:42.231735189Z" level=info msg="loading plugin" id=io.containerd.sandbox.controller.v1.shim type=io.containerd.sandbox.controller.v1
time="2024-12-13T21:20:42.232029029Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.sandbox-controllers type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.232080709Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.sandboxes type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.232095829Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.snapshots type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.232108829Z" level=info msg="loading plugin" id=io.containerd.streaming.v1.manager type=io.containerd.streaming.v1
time="2024-12-13T21:20:42.232123829Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.streaming type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.232136269Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.tasks type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.232148429Z" level=info msg="loading plugin" id=io.containerd.transfer.v1.local type=io.containerd.transfer.v1
time="2024-12-13T21:20:42.232182229Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.transfer type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.232197589Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.version type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.232208429Z" level=info msg="loading plugin" id=io.containerd.monitor.container.v1.restart type=io.containerd.monitor.container.v1
time="2024-12-13T21:20:42.232250349Z" level=info msg="loading plugin" id=io.containerd.tracing.processor.v1.otlp type=io.containerd.tracing.processor.v1
time="2024-12-13T21:20:42.232266549Z" level=info msg="skip loading plugin" error="skip plugin: tracing endpoint not configured" id=io.containerd.tracing.processor.v1.otlp type=io.containerd.tracing.processor.v1
time="2024-12-13T21:20:42.232277389Z" level=info msg="loading plugin" id=io.containerd.internal.v1.tracing type=io.containerd.internal.v1
time="2024-12-13T21:20:42.232286989Z" level=info msg="skip loading plugin" error="skip plugin: tracing endpoint not configured" id=io.containerd.internal.v1.tracing type=io.containerd.internal.v1
time="2024-12-13T21:20:42.232297309Z" level=info msg="loading plugin" id=io.containerd.ttrpc.v1.otelttrpc type=io.containerd.ttrpc.v1
time="2024-12-13T21:20:42.232318189Z" level=info msg="loading plugin" id=io.containerd.grpc.v1.healthcheck type=io.containerd.grpc.v1
time="2024-12-13T21:20:42.232332869Z" level=info msg="loading plugin" id=io.containerd.nri.v1.nri type=io.containerd.nri.v1
time="2024-12-13T21:20:42.232382749Z" level=info msg="runtime interface created"
time="2024-12-13T21:20:42.232392109Z" level=info msg="created NRI interface"
time="2024-12-13T21:20:42.232636789Z" level=info msg=serving... address=/var/run/docker/containerd/containerd-debug.sock
time="2024-12-13T21:20:42.232702749Z" level=info msg=serving... address=/var/run/docker/containerd/containerd.sock.ttrpc
time="2024-12-13T21:20:42.232754309Z" level=info msg=serving... address=/var/run/docker/containerd/containerd.sock
time="2024-12-13T21:20:42.232775589Z" level=info msg="containerd successfully booted in 0.057581s"
time="2024-12-13T21:20:44.518672327Z" level=info msg="Loading containers: start."
time="2024-12-13T21:20:44.771754911Z" level=info msg="Loading containers: done."
time="2024-12-13T21:20:44.782627231Z" level=info msg="Docker daemon" commit=92a83937d0280dcbea92099b01e01aa4251c1777 containerd-snapshotter=false storage-driver=overlay2 version=dev
time="2024-12-13T21:20:44.782793271Z" level=info msg="Daemon has completed initialization"
time="2024-12-13T21:20:44.814319309Z" level=info msg="API listen on /var/run/docker.sock"
evaluating pipelines for package requirements
building test workspace in: '/tmp/melange-guest-2292031501-main' with apko
Error: rpc error: code = NotFound desc = federate identity: rpc error: code = NotFound desc = no identity found for (https://accounts.google.com, 109346087047205543085)
Error running `chainctl auth token`: exit status 1
2024/12/13 21:20:45 [DEBUG] GET https://apk.cgr.dev/wolfi-presubmit/51164ad6350ce937b48ccdca507bcf69cc9ede41/apk-configuration
2024/12/13 21:20:46 [DEBUG] GET https://packages.wolfi.dev/os/apk-configuration
setting apk repositories: [https://apk.cgr.dev/wolfi-presubmit/51164ad6350ce937b48ccdca507bcf69cc9ede41 https://packages.wolfi.dev/os]
image configuration:
  contents:
    build repositories: []
    runtime repositories: []
    keyring:      []
    packages:     [bash coreutils curl grep procps netcat-openbsd cloudflared busybox]
installing ncurses-terminfo-base (6.5_p20241006-r4)
installing ca-certificates-bundle (20241010-r2)
installing wolfi-baselayout (20230201-r15)
installing glibc (2.40-r3)
installing libgcc (14.2.0-r6)
installing ld-linux (2.40-r3)
installing glibc-locale-posix (2.40-r3)
installing ncurses (6.5_p20241006-r4)
installing bash (5.2.37-r2)
installing libxcrypt (4.4.36-r8)
installing libcrypt1 (2.40-r3)
installing busybox (1.37.0-r0)
installing cloudflared (2024.12.1-r1)
installing libattr1 (2.5.2-r4)
installing libacl1 (2.3.2-r4)
installing libcrypto3 (3.4.0-r4)
installing coreutils (9.5-r3)
installing libunistring (1.3-r1)
installing libidn2 (2.3.7-r3)
installing libpsl (0.21.5-r4)
installing libbrotlicommon1 (1.1.0-r4)
installing libbrotlidec1 (1.1.0-r4)
installing krb5-conf (1.0-r3)
installing libverto (0.3.2-r4)
installing keyutils-libs (1.6.3-r5)
installing libcom_err (1.47.1-r1)
installing libssl3 (3.4.0-r4)
installing krb5-libs (1.21.3-r2)
installing zlib (1.3.1-r4)
installing readline (8.2.13-r1)
installing sqlite-libs (3.47.2-r0)
installing heimdal-libs (7.8.0-r7)
installing gdbm (1.24-r1)
installing cyrus-sasl (2.1.28-r5)
installing libevent (2.1.12-r6)
installing libldap (2.6.9-r0)
installing libnghttp2-14 (1.64.0-r1)
installing libcurl-openssl4 (8.11.1-r0)
installing curl (8.11.1-r0)
installing libpcre2-8-0 (10.44-r2)
installing grep (3.11-r2)
installing libmd (1.1.0-r2)
installing libbsd (0.12.2-r1)
installing netcat-openbsd (1.226-r4)
installing libproc-2-0 (4.0.4-r2)
installing procps (4.0.4-r2)
installing wolfi-keys (1-r8)
installing apk-tools (2.14.4-r1)
installing wolfi-base (1-r6)
built image layer tarball as /tmp/apko-temp-259602474/apko-aarch64.tar.gz
using /tmp/apko-temp-259602474/apko-aarch64.tar.gz for image layer
OCI layer digest: sha256:c58c7f9edc1d93863c81a5ffb794fde31b23f63d67f8b0eaeaffb70c4949f9b3
OCI layer diffID: sha256:fb525400552709f2104d014ecd0c3390444dbd6da7bdf464f5dd789d7c340367
saving OCI image locally: apko.local/cache:c843f37b9dfbf6cef2a75bd1facb7389e4b6aa9164f5d3616b6e7985b376ab8e
skipping local domain tagging apko.local/cache:c843f37b9dfbf6cef2a75bd1facb7389e4b6aa9164f5d3616b6e7985b376ab8e as index.docker.io/library/melange:latest
populating workspace /tmp/melange-workspace-2204920034 from cloudflared
ImgRef = apko.local/cache:c843f37b9dfbf6cef2a75bd1facb7389e4b6aa9164f5d3616b6e7985b376ab8e

Indexes

https://apk.cgr.dev/wolfi-presubmit/51164ad6350ce937b48ccdca507bcf69cc9ede41

Packages

Tests

More Observability

Command

cg build log \
  --build-id 24e0a846-bd4d-4c3d-85f7-111c4f0da7f1 \
  --project prod-wolfi-os \
  --cluster elastic-pre-a \
  --namespace pre-wolfi \
  --start 2024-12-13T21:18:01Z \
  --end 2024-12-13T21:30:57Z \
  --attrs pkg,arch
View more details on Octo STS