chore(deps): update module github.com/hashicorp/go-retryablehttp to v0.7.7 [security] (release-1.13)

[phisco-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/hashicorp/go-retryablehttp	v0.7.1 → v0.7.7

---

go-retryablehttp can leak basic auth credentials to log files

CVE-2024-6104 / GHSA-v6v8-xj6m-xwqh / GO-2024-2947

More information

Details

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

Severity

• CVSS Score: 6.0 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-6104
• https://github.com/hashicorp/go-retryablehttp/commit/a99f07beb3c5faaa0a283617e6eb6bcf25f5049a
• https://discuss.hashicorp.com/c/security
• https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027
• https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
• https://github.com/hashicorp/go-retryablehttp

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Leak of sensitive information to log files in github.com/hashicorp/go-retryablehttp

CVE-2024-6104 / GHSA-v6v8-xj6m-xwqh / GO-2024-2947

More information

Details

URLs were not sanitized when writing them to log files. This could lead to writing sensitive HTTP basic auth credentials to the log file.

Severity

Unknown

References

• https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
• https://github.com/hashicorp/go-retryablehttp/commit/a99f07beb3c5faaa0a283617e6eb6bcf25f5049a
• https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

hashicorp/go-retryablehttp (github.com/hashicorp/go-retryablehttp)

v0.7.7

Compare Source

v0.7.6

Compare Source

v0.7.5

Compare Source

v0.7.4

Compare Source

v0.7.3

Compare Source

v0.7.2

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[phisco-renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.mod

Command failed: install-tool golang $(grep -oP ^toolchain go\K.+ go.mod)

File name: go.mod

Command failed: make generate
go: downloading github.com/alecthomas/kong v0.8.0
go: downloading github.com/crossplane/crossplane-runtime v0.20.0
go: downloading github.com/google/go-containerregistry v0.16.1
go: downloading k8s.io/api v0.27.3
go: downloading k8s.io/apimachinery v0.27.3
go: downloading k8s.io/client-go v0.27.3
go: downloading github.com/spf13/afero v1.9.5
go: downloading k8s.io/apiextensions-apiserver v0.27.3
go: downloading sigs.k8s.io/controller-runtime v0.15.0
go: downloading github.com/google/uuid v1.3.0
go: downloading github.com/opencontainers/runtime-spec v1.1.0-rc.3.0.20230610073135-48415de180cf
go: downloading golang.org/x/time v0.3.0
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/bufbuild/buf v1.24.0
go: downloading github.com/jmattheis/goverter v0.17.4
go: downloading google.golang.org/grpc v1.56.2
go: downloading k8s.io/code-generator v0.27.3
go: downloading sigs.k8s.io/controller-tools v0.12.1
go: downloading github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20230617045147-2472cbbbf289
go: downloading github.com/go-logr/logr v1.2.4
go: downloading github.com/google/go-cmp v0.5.9
go: downloading github.com/docker/cli v24.0.4+incompatible
go: downloading k8s.io/utils v0.0.0-20230505201702-9f6742963106
go: downloading golang.org/x/sync v0.3.0
go: downloading k8s.io/klog/v2 v2.100.1
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading github.com/containerd/stargz-snapshotter/estargz v0.14.3
go: downloading golang.org/x/text v0.11.0
go: downloading github.com/evanphx/json-patch/v5 v5.6.0
go: downloading github.com/evanphx/json-patch v4.12.0+incompatible
go: downloading github.com/go-logr/zapr v1.2.4
go: downloading go.uber.org/zap v1.24.0
go: downloading golang.org/x/net v0.12.0
go: downloading gomodules.xyz/jsonpatch/v2 v2.3.0
go: downloading kernel.org/pub/linux/libs/security/libcap/cap v1.2.69
go: downloading github.com/google/gnostic v0.6.9
go: downloading golang.org/x/sys v0.20.0
go: downloading github.com/cyphar/filepath-securejoin v0.2.3
go: downloading github.com/prometheus/client_golang v1.15.1
go: downloading github.com/spf13/cobra v1.7.0
go: downloading github.com/docker/docker v24.0.4+incompatible
go: downloading github.com/docker/distribution v2.8.2+incompatible
go: downloading github.com/klauspost/compress v1.16.7
go: downloading github.com/vbatts/tar-split v0.11.3
go: downloading k8s.io/kube-openapi v0.0.0-20230525220651-2546d827e515
go: downloading golang.org/x/term v0.10.0
go: downloading golang.org/x/oauth2 v0.8.0
go: downloading github.com/fsnotify/fsnotify v1.6.0
go: downloading google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
go: downloading kernel.org/pub/linux/libs/security/libcap/psx v1.2.69
go: downloading k8s.io/component-base v0.27.3
go: downloading github.com/opencontainers/image-spec v1.1.0-rc4
go: downloading github.com/docker/docker-credential-helpers v0.7.0
go: downloading golang.org/x/tools v0.11.0
go: downloading github.com/prometheus/client_model v0.4.0
go: downloading github.com/prometheus/common v0.44.0
go: downloading github.com/hashicorp/vault/api v1.9.2
go: downloading github.com/prometheus/procfs v0.10.0
go: downloading github.com/aws/smithy-go v1.13.5
go: downloading cloud.google.com/go/compute v1.19.3
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.4
go: downloading github.com/cenkalti/backoff/v3 v3.0.0
go: downloading github.com/go-jose/go-jose/v3 v3.0.0
go: downloading github.com/hashicorp/errwrap v1.1.0
go: downloading github.com/hashicorp/go-cleanhttp v0.5.2
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading github.com/hashicorp/go-retryablehttp v0.7.7
go: downloading github.com/hashicorp/go-rootcerts v1.0.2
go: downloading github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6
go: downloading github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/bufbuild/connect-go v1.9.0
go: downloading github.com/bufbuild/connect-opentelemetry-go v0.4.0
go: downloading go.opentelemetry.io/otel v1.16.0
go: downloading github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
go: downloading github.com/emicklei/go-restful/v3 v3.10.2
go: downloading golang.org/x/crypto v0.11.0
go: downloading github.com/hashicorp/go-sockaddr v1.0.2
go: downloading github.com/ryanuber/go-glob v1.0.0
go: downloading go.opentelemetry.io/otel/trace v1.16.0
go: downloading github.com/bufbuild/protocompile v0.5.1
go: downloading github.com/jdxcode/netrc v0.0.0-20221124155335-4616370d1a84
go: downloading go.opentelemetry.io/otel/metric v1.16.0
go: downloading golang.org/x/mod v0.12.0
go: downloading github.com/tetratelabs/wazero v1.2.1
go: downloading github.com/rs/cors v1.9.0
go: downloading github.com/go-chi/chi/v5 v5.0.8
go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.2
go: downloading go.opentelemetry.io/otel/sdk v1.16.0
go: downloading github.com/docker/go-connections v0.4.0
go: downloading github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8
# golang.org/x/tools/internal/tokeninternal
/home/ubuntu/go/pkg/mod/golang.org/x/tools@v0.11.0/internal/tokeninternal/tokeninternal.go:78:9: invalid array length -delta * delta (constant -256 of type int64)
apis/generate.go:45: running "go": exit status 1
make[1]: *** [build/makelib/golang.mk:240: go.generate] Error 1
make: *** [build/makelib/common.mk:434: generate] Error 2