chore(deps): update dependency replicatedhq/kots to v1.124.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
replicatedhq/kots	minor	1.123.1 -> 1.124.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

replicatedhq/kots (replicatedhq/kots)

v1.124.0

Compare Source

Changelog

• 41af95b fix(ui): missing pre snapshot scripts show more button (#​5113)
• 29c846c feat(ec): migration from v1 to v2 - fixes (#​5111)
• e62b5e9 Push EC manager binary in airgap bundle to registry (#​5110)
• c411894 feat: allow migrate from HelmChart v1beta1 to v1beta2 if Helm --take-ownership is set (#​5046)
• 6f04de7 Upgrade EC managers (#​5099)
• 243d2a5 Update KOTS image dependency tags (#​5109)
• 9e214a7 feat(ec): migration from v1 to v2 (#​5100)
• 3fb2379 Update KOTS image dependency tags (#​5006)
• a87d0ac chore(deps): bump google.golang.org/api from 0.200.0 to 0.217.0 (#​5104)
• 726662a chore(deps): bump the security group across 1 directory with 10 updates (#​5108)
• 98bee3a chore(deps): bump the security group in /kurl_proxy with 3 updates (#​5105)
• 778f3cf chore(deps): bump the security group with 9 updates (#​5103)
• bf059df chore(deps-dev): bump @​storybook/addon-actions in /web (#​5102)
• 3d0a09a Miawong/sc 116932/improved disaster recovery for ec ux (#​5070)
• 8d595bf chore(deps): bump github.com/replicatedhq/troubleshoot (#​5093)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/kots:1.124.0

📦 Image Reference ghcr.io/uniget-org/tools/kots:1.124.0

digest	sha256:7c5f22ecfe8e2e7e5873b3e6263643fbb7346c95f87613749536d9370f655ad3
vulnerabilities
platform	linux/amd64
size	49 MB
packages	386

github.com/aws/aws-sdk-go 1.55.6 (golang) pkg:golang/github.com/aws/aws-sdk-go@1.55.6 Affected range >=0 Fixed version Not Fixed Description A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files. Affected range >=0 Fixed version Not Fixed Description A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

gopkg.in/square/go-jose.v2 2.2.2 (golang) pkg:golang/gopkg.in/square/go-jose.v2@2.2.2 Improper Handling of Highly Compressed Data (Data Amplification) Affected range <=2.6.0 Fixed version Not Fixed CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description Impact An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting. Patches The problem is fixed in the following packages and versions: github.com/go-jose/go-jose/v4 version 4.0.1 github.com/go-jose/go-jose/v3 version 3.0.3 gopkg.in/go-jose/go-jose.v2 version 2.6.3 The problem will not be fixed in the following package because the package is archived: gopkg.in/square/go-jose.v2

k8s.io/apiserver 0.32.1 (golang) pkg:golang/k8s.io/apiserver@0.32.1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.15.10 Fixed version 1.15.10, 1.16.7, 1.17.3 CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

github.com/mholt/archiver/v3 3.5.1 (golang) pkg:golang/github.com/mholt/archiver/v3@3.5.1 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range >=3.0.0 <=3.5.1 Fixed version Not Fixed CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N Description A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12953733583.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12953733583.