Skip to content

chore: Cherry pick CVE fixes released Sept 30 #434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
reggie-k merged 5 commits into from
Oct 21, 2025
Merged

chore: Cherry pick CVE fixes released Sept 30 #434

reggie-k merged 5 commits into from
Oct 21, 2025

Conversation

@todaywasawesome
Copy link

@todaywasawesome todaywasawesome commented Oct 1, 2025

CVSS 7.5 (high) Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
CVSS 7.5 (high) Unauthenticated Remote DoS in Argo CD via malformed Azure DevOps git.push webhook
CVSS 7.5 (high) Unauthenticated DoS due to lack of validation on pointer types
CVSS 6.5 (medium) Repository Credentials Race Condition Crashes Argo CD Server

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@todaywasawesome todaywasawesome changed the title Cherry pick CVE fixes released Sept 30 Chore: Cherry pick CVE fixes released Sept 30 Oct 1, 2025
@todaywasawesome todaywasawesome changed the title Chore: Cherry pick CVE fixes released Sept 30 chore: Cherry pick CVE fixes released Sept 30 Oct 1, 2025
crenshaw-dev and others added 4 commits October 1, 2025 06:53
@crenshaw-dev @todaywasawesome
Merge commit from fork
237b18a 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Signed-off-by: Dan Garfield <dan.garfield@octopus.com>
@crenshaw-dev @todaywasawesome
Merge commit from fork
155020d 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Signed-off-by: Dan Garfield <dan.garfield@octopus.com>
@crenshaw-dev @todaywasawesome
Merge commit from fork
32d555a 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Signed-off-by: Dan Garfield <dan.garfield@octopus.com>
@thevilledev @todaywasawesome
Merge commit from fork
e59a13a 
Fixed a race condition in repository credentials handling by
implementing deep copying of secrets before modification.
This prevents concurrent map read/write panics when multiple
goroutines access the same secret.

The fix ensures thread-safe operations by always operating on
copies rather than shared objects.

Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Signed-off-by: Dan Garfield <dan.garfield@octopus.com>
@codecov
Copy link

codecov bot commented Oct 1, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@reggie-k reggie-k merged commit b325481 into sync-3.1.5 Oct 21, 2025
37 of 38 checks passed
@reggie-k reggie-k deleted the oct1cves branch October 21, 2025 09:49
@reggie-k reggie-k mentioned this pull request Oct 21, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ppapapetrou76 ppapapetrou76 ppapapetrou76 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@todaywasawesome @ppapapetrou76 @reggie-k @crenshaw-dev @thevilledev