chore(deps): update dependency concourse/concourse to v7.12.1

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
concourse/concourse	patch	7.12.0 -> 7.12.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

concourse/concourse (concourse/concourse)

v7.12.1

Compare Source

What's Changed

• fix: topgun k8s container limits test supports cgroups v1 and v2 by @​Spimtav in https://github.com/concourse/concourse/pull/9028
• Split go-concourse client tests by @​aliculPix4D in https://github.com/concourse/concourse/pull/9010
• go-concourse:connection client prints response body to the end user by @​aliculPix4D in https://github.com/concourse/concourse/pull/9011
• Rebase master onto release 7.12.x by @​drich10 in https://github.com/concourse/concourse/pull/9037
• fix(deps): update all dependencies by @​drich10 in https://github.com/concourse/concourse/pull/9038
• Rebase master 7.12 by @​drich10 in https://github.com/concourse/concourse/pull/9040
• fix(deps): update module golang.org/x/crypto to v0.31.0 [security] by @​renovate in https://github.com/concourse/concourse/pull/9039
• Update renovate config by @​drich10 in https://github.com/concourse/concourse/pull/9043
• Disable garden renovate update by @​drich10 in https://github.com/concourse/concourse/pull/9044
• fix(deps): update all dependencies by @​renovate in https://github.com/concourse/concourse/pull/8985

New Contributors

• @​Spimtav made their first contribution in https://github.com/concourse/concourse/pull/9028
• @​drich10 made their first contribution in https://github.com/concourse/concourse/pull/9037

Full Changelog: concourse/concourse@v7.12.0...v7.12.1

📦 Bundled resource types

• bosh-io-release: v1.2.2
• bosh-io-stemcell: v1.4.1
• docker-image: v1.10.0
• git: v1.17.0
• github-release: v1.10.1
• hg: v1.3.1
• mock: v0.13.0
• pool: v1.4.0
• registry-image: v1.10.1
• s3: v1.3.0
• semver: v1.8.1
• time: v1.7.0
• tracker: v1.1.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/concourse:7.12.1

📦 Image Reference ghcr.io/uniget-org/tools/concourse:7.12.1

digest	sha256:9ebc26b090c2e0f2ef35320d641762c9bc2f9a4412608f892c6ef7a83a56b7d1
vulnerabilities
platform	linux/amd64
size	86 MB
packages	213

golang.org/x/net 0.32.0 (golang) pkg:golang/golang.org/x/net@0.32.0 Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

github.com/aws/aws-sdk-go 1.55.5 (golang) pkg:golang/github.com/aws/aws-sdk-go@1.55.5 Affected range >=0 Fixed version Not Fixed Description A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files. Affected range >=0 Fixed version Not Fixed Description A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

gopkg.in/square/go-jose.v2 2.6.0 (golang) pkg:golang/gopkg.in/square/go-jose.v2@2.6.0 Improper Handling of Highly Compressed Data (Data Amplification) Affected range <=2.6.0 Fixed version Not Fixed CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description Impact An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting. Patches The problem is fixed in the following packages and versions: github.com/go-jose/go-jose/v4 version 4.0.1 github.com/go-jose/go-jose/v3 version 3.0.3 gopkg.in/go-jose/go-jose.v2 version 2.6.3 The problem will not be fixed in the following package because the package is archived: gopkg.in/square/go-jose.v2

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12941735762.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12941735762.