chore(deps): update dependency cloudflare/cloudflared to v2025

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
cloudflare/cloudflared	major	2024.12.2 -> 2025.1.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cloudflare/cloudflared (cloudflare/cloudflared)

v2025.1.0

Compare Source

SHA256 Checksums:

cloudflared-amd64.pkg: 737f44e9211a2b9d3cc273cd9287951b67bef8922d32debc473e619bf7453df5
cloudflared-arm64.pkg: 8b83b0499b6982f239a941d9234620cc72c1328f5bdded2694a749451d2e7ea0
cloudflared-darwin-amd64.tgz: 8d7612b8ab14a218ac78bfc09f38f9a3a1a7d8b60081ede7e788739a2cca60fb
cloudflared-darwin-arm64.tgz: c29e4553a11783988dbd733ffadf3d0122858bbbcc633ce1474b1f33c2f764fd
cloudflared-fips-linux-amd64: 0465124cf393261d40943a0c214dc32e793b2c089ff1a308a035ef4bfbf126c9
cloudflared-fips-linux-amd64.deb: a78fc4205fe9cc932b02b10d73291af1d0a436de9922cf042331c3bbcd342729
cloudflared-fips-linux-x86_64.rpm: e5c9befcbff60e7f91ac7c199d355c95fc70302cba078d2e5a49ed72b1c5cda1
cloudflared-linux-386: dce48149614982aae1889be9babfc44e12f9458655181664e921f9708ff449de
cloudflared-linux-386.deb: 633b7eeba1f6904b04100ac67a63f7e3b0c5fb55d9af1925e2c37553a5ce6673
cloudflared-linux-386.rpm: aa4d11a5c5460cb610e776f95c8c0fea412da6a9af9de4896c867c12bf31311b
cloudflared-linux-aarch64.rpm: 03079e5c4a347d822f7fbb513a05b4f30640d56c030d6e69f7a7ef71b4970874
cloudflared-linux-amd64: 8734f79dbdcb91e305fa48d837840c8c0d14f143ed390c516b86c2c292d9b368
cloudflared-linux-amd64.deb: 9e30e5880dd1eb71d685123d601dd5268c45c3cdce2f3379d7d9c1bbc4fbc503
cloudflared-linux-arm: 0de627fd141a61f72d71b2cb826718bd4c8d809195004b7f49018893664c803d
cloudflared-linux-arm.deb: a57aa6b4a6beefb1afcb1d4d91958319e0933ebd7d386a31cfc3ade2cacd421c
cloudflared-linux-arm.rpm: 7d2ef4b0dd546d06150fdfecd7cbf76d8ed0a8935f4314abdb46cd203385beec
cloudflared-linux-arm64: c6b91c3c84e75be67df0adf44655405ccccc467f964943c54b2fc380ca636062
cloudflared-linux-arm64.deb: 2904305c637ceed5068b86f1bf5de4f0c94e931b0fb523265e78efc5de440005
cloudflared-linux-armhf: 6a9ae8729166d3d84c80fdbc0d5ae6ef123fa2cf69d5e05bd3cd4a47646e6a3f
cloudflared-linux-armhf.deb: 8026fab4600046dda14d8bdf30462c0e02eba9119e57aff31ef991bf6f585cac
cloudflared-linux-armhf.rpm: 4636ea5c2ac0395452410dbbae5983ea5bfbd7e522287693008a60b6b24a4785
cloudflared-linux-x86_64.rpm: e8b63339d666791dea98f056e555a680e94b79129e49dbba07bd27f0bdc4868c
cloudflared-windows-386.exe: 315e4e5b36930c3de475457657ff777a5653404b92c8d6522daba61414af7219
cloudflared-windows-386.msi: 892503dc1b9a147c4f1f26d090a36b5ca1dd3224c4f190f8de317f4b851c609e
cloudflared-windows-amd64.exe: f1ea0be7b442593b62656a371110a218bf42e0fe63338bc558744c7d84ef7826
cloudflared-windows-amd64.msi: 2853e1f19b92fa7538c7d47d7418e8894aa52f591f800cb612997f5c21849852

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/cloudflared:2025.1.0

📦 Image Reference ghcr.io/uniget-org/tools/cloudflared:2025.1.0

digest	sha256:55512591b1182c96cc04fc0b56c487de38c22f66bb22ed5b23a6201ac751169b
vulnerabilities
platform	linux/amd64
size	19 MB
packages	71

golang.org/x/crypto 0.23.0 (golang) pkg:golang/golang.org/x/crypto@0.23.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

stdlib 1.22.5 (golang) pkg:golang/stdlib@1.22.5 Affected range <1.22.7 Fixed version 1.22.7 Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Affected range <1.22.7 Fixed version 1.22.7 Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range <1.22.7 Fixed version 1.22.7 Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range <1.22.7 Fixed version 1.22.7 Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

golang.org/x/net 0.25.0 (golang) pkg:golang/golang.org/x/net@0.25.0 Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

github.com/quic-go/quic-go 0.45.0 (golang) pkg:golang/github.com/quic-go/quic-go@0.45.0 Insufficient Verification of Data Authenticity Affected range <0.48.2 Fixed version 0.48.2 CVSS Score 6 CVSS Vector CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Description Impact An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection). As far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client's IP and port tuple to mount an attack (assuming that it knows the server's IP and port). Patches The fix is easy: Use IP_PMTUDISC_PROBE instead of IP_PMTUDISC_DO. This socket option only sets the DF bit, but disables the kernel's MTU tracking. Has the problem been patched? What versions should users upgrade to? Fixed in quic-go/quic-go#4729 Released in https://github.com/quic-go/quic-go/releases/tag/v0.48.2 Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? Use iptables to drop ICMP Unreachable packets. References Are there any links users can visit to find out more? This bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12655625404.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12655625404.