Sync/upstream#5
Merged
Merged
Conversation
…icit-deny-as-user-induced Categorize explicit deny policy in IAM role as user induced
…-version Bump go version to 1.24.9
…tro-pr-bot/go-version-bumps Creating PR to update Go version to 1.24.11
…puty-protection Add Confused Deputy protection headers for aws-encryption-provider
Add kmala as the owner of the project
1.35.0 dependency update
Fixes security vulnerabilities in crypto/x509: [CVE-2025-61727](GHSA-5mh9-3jwc-rp59): Excluded subdomain constraint doesn't preclude wildcard SAN Signed-off-by: Ronald Ngounou <ronald.ngounou@yahoo.com>
…-2025-61727 Upgrade Go to 1.25.6 to fix crypto/x509 CVEs
…tro-pr-bot/go-version-bumps Creating PR to update Go version to 1.25.7
bump go to 1.25.7
…go-to-1.25.8 Upgrade Go version to 1.25.8
fix: bump go version for CVE fix
fix: failing cloudbuild due to stale gcb image, update to use latest
fix: add health check timeouts
…unner-bump Bumping gorunner image tag in Dockerfile for CVE mitigation
V1Plugin.Decrypt() and V2Plugin.Decrypt() both access the first byte of the ciphertext slice for storage version prefix detection without verifying the slice is non-empty. An empty or nil ciphertext causes an unrecovered panic that crashes the entire aws-encryption-provider process, making Kubernetes Secrets unavailable until pod restart. Add len() == 0 guards to both V1 and V2 Decrypt paths, returning a clean gRPC error instead of panicking. Add unit tests for both paths. Security: High — unauthenticated crash via Unix socket gRPC call
…phertext-panic Fix index-out-of-bounds panic on empty ciphertext in Decrypt
1.36.0 dependency update
Categorize 'AWS KMS cannot communicate with the external key store proxy' error message as KMSErrorTypeUserInduced in the KMSInternalException case. Added corresponding test case.
…TypeUserInduced Add External key store proxy communication failure to UserInduced errors
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sync 35 commits from upstream.