-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency aws-cdk-lib to v2.80.0 [security] #315
Open
renovate
wants to merge
1
commit into
develop
Choose a base branch
from
renovate/npm-aws-cdk-lib-vulnerability
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Diff Output:
|
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
13 times, most recently
from
September 18, 2023 15:27
86bc7e4
to
62c983a
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
12 times, most recently
from
September 25, 2023 01:47
0cabc96
to
e5b2872
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
4 times, most recently
from
October 2, 2023 09:15
c382f8e
to
b26862f
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
14 times, most recently
from
November 17, 2023 09:46
12bffbf
to
70bd5eb
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
6 times, most recently
from
December 1, 2023 16:33
8717e86
to
ae71039
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
December 13, 2023 04:41
ae71039
to
c501722
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
February 25, 2024 11:30
c501722
to
015de3f
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
March 12, 2024 13:08
015de3f
to
9de758b
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
July 21, 2024 13:51
9de758b
to
9950195
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
August 6, 2024 08:49
9950195
to
81da803
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
August 28, 2024 08:05
81da803
to
3fad705
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
October 9, 2024 11:33
3fad705
to
bec6035
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
December 2, 2024 10:04
bec6035
to
4105fe0
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.74.0
->2.80.0
GitHub Vulnerability Alerts
CVE-2023-35165
If you are using the
eks.Cluster
oreks.FargateCluster
construct we need you to take action. Other users are not affected and can stop reading.Impact
The AWS Cloud Development Kit (CDK) allows for the definition of Amazon Elastic Container Service for Kubernetes (EKS) clusters.
eks.Cluster
andeks.FargateCluster
constructs create two roles that have an overly permissive trust policy.The first, referred to as the CreationRole, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g
KubernetesManifest
,HelmChart
, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) will be affected.The second, referred to as the default MastersRole, is provisioned only if the
mastersRole
property isn't provided and has permissions to executekubectl
commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) will be affected.Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate
sts:AssumeRole
permissions to assume it. For example, this can happen if another role in your account hassts:AssumeRole
permissions onResource: "*"
.CreationRole
Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:
*-ClusterCreationRole-*
MastersRole
Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the
mastersRole
property. The role in question can be located in the IAM console. It will have the following name pattern:*-MastersRole-*
Patches
The issue has been fixed in versions v1.202.0, v2.80.0. We recommend you upgrade to a fixed version as soon as possible. See Managing Dependencies in the CDK Developer Guide for instructions on how to do this.
The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to https://github.com/aws/aws-cdk/issues/25674 for a detailed discussion of options.
Workarounds
CreationRole
There is no workaround available for CreationRole.
MastersRole
To avoid creating the default MastersRole, use the
mastersRole
property to explicitly provide a role. For example:References
https://github.com/aws/aws-cdk/issues/25674
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.
Release Notes
aws/aws-cdk (aws-cdk-lib)
v2.80.0
Compare Source
⚠ BREAKING CHANGES
mastersRole
property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriatests:AssumeRole
permissions) to assume it.Features
Bug Fixes
Alpha modules (2.80.0-alpha.0)
v2.79.1
Compare Source
Bug Fixes
Alpha modules (2.79.1-alpha.0)
v2.79.0
Compare Source
Features
Bug Fixes
[Object object]
(#25466) (b3d0d57), closes #25250Alpha modules (2.79.0-alpha.0)
Bug Fixes
[Object object]
(#25250) (b3d0d57)v2.78.0
Compare Source
Features
aws/codebuild/amazonlinux2-aarch64-standard:3.0
(#25351) (0d187c1), closes #25334Bug Fixes
variables
property onStage
resource (#25267) (04427e3), closes #3635ManagedEc2EcsComputeEnvironment
instance role missing managed policy (#25279) (c81d115), closes #25256Alpha modules (2.78.0-alpha.0)
v2.77.0
Compare Source
Features
Bug Fixes
port
property (#25112) (925c9ba), closes #22452BackupVault.fromBackupVaultArn
parses wrong arn format (#25259) (c2082a7), closes #25212previous-parameters
option to bootstrap command (#25219) (02e8758), closes #23780Alpha modules (2.77.0-alpha.0)
v2.76.0
Compare Source
⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
The user who are using these two method need to update to use alternative method.
For associateStack, the alternative method is associateApplicationWithStack
For associateAttributeGroup, the alternative method is AttributeGroup.associateWith
The user who are using these two method need to update to use alternative method. For associateStack, the alternative method is associateApplicationWithStack For associateAttributeGroup, the alternative method is AttributeGroup.associateWith
Purpose of this PR:
we need to remove deprecated resource before we moving into stable version The method that we remove is: associateStack and associateAttributeGroup
CHANGES:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
Features
Bug Fixes
jobQueueName
returns ARN instead of name (#25093) (a344507), closes #23018Alpha modules (2.76.0-alpha.0)
v2.75.1
Compare Source
Reverts
Alpha modules (2.75.1-alpha.0)
v2.75.0
Compare Source
Features
Alpha modules (2.75.0-alpha.0)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.