Files

GitHub Actions ca477c48d4 chore: Enhance documentation for E2E testing:

- Added clarity and structure to README files, including recent updates and getting started sections.
- Improved manual verification documentation for CrowdSec authentication, emphasizing expected outputs and success criteria.
- Updated debugging guide with detailed output examples and automatic trace capture information.
- Refined best practices for E2E tests, focusing on efficient polling, locator strategies, and state management.
- Documented triage report for DNS Provider feature tests, highlighting issues fixed and test results before and after improvements.
- Revised E2E test writing guide to include when to use specific helper functions and patterns for better test reliability.
- Enhanced troubleshooting documentation with clear resolutions for common issues, including timeout and token configuration problems.
- Updated tests README to provide quick links and best practices for writing robust tests.

2026-03-24 01:47:22 +00:00

2.8 KiB

Raw Blame History

Security Exception: Nebula v1.9.7 (GHSA-69x3-g4r3-p962)

Date: 2026-02-10 Status: ACCEPTED RISK CVE: GHSA-69x3-g4r3-p962 Severity: High Package: github.com/slackhq/nebula@v1.9.7 Fixed Version: v1.10.3

Decision

Accept the High severity vulnerability in nebula v1.9.7 as a documented known issue.

Rationale

Nebula is a transitive dependency via CrowdSec bouncer -> ipstore chain
Upgrading to v1.10.3 breaks compilation:
- smallstep/certificates removed nebula APIs (NebulaCAPool, NewCAPoolFromBytes, etc.)
- ipstore missing GetAndDelete method compatibility
No compatible upstream versions exist as of 2026-02-10
Patching dependencies during build is high-risk and fragile
High severity risk classification applies to vulnerabilities within our control
This is an upstream dependency management issue beyond our immediate control

Dependency Chain

Caddy (xcaddy builder)
- github.com/hslatman/caddy-crowdsec-bouncer@v0.9.2
  - github.com/hslatman/ipstore@v0.3.0
    - github.com/slackhq/nebula@v1.9.7 (vulnerable)

Exploitability Assessment

Nebula is present in Docker image build artifacts
Used by CrowdSec bouncer for IP address management
Attack surface: [Requires further analysis - see monitoring plan]

Monitoring Plan

Watch for upstream fixes in:

github.com/hslatman/caddy-crowdsec-bouncer (primary)
github.com/hslatman/ipstore (secondary)
github.com/smallstep/certificates (nebula API compatibility)
github.com/slackhq/nebula (direct upgrade if dependency chain updates)

Check quarterly (or when Dependabot/security scans alert):

CrowdSec bouncer releases: https://github.com/hslatman/caddy-crowdsec-bouncer/releases
ipstore releases: https://github.com/hslatman/ipstore/releases
smallstep/certificates releases: https://github.com/smallstep/certificates/releases

Remediation Trigger

Revisit and remediate when ANY of:

caddy-crowdsec-bouncer releases version with nebula v1.10.3+ support
smallstep/certificates releases version compatible with nebula v1.10.3
ipstore releases version fixing GetAndDelete compatibility
GHSA-69x3-g4r3-p962 severity escalates to CRITICAL
Proof-of-concept exploit published targeting Charon's attack surface

Alternative Mitigation (Future)

If upstream remains stalled:

Consider removing CrowdSec bouncer plugin (loss of CrowdSec integration)
Evaluate alternative IP blocking/rate limiting solutions
Implement CrowdSec integration at reverse proxy layer instead of Caddy

References

CVE Details: https://github.com/advisories/GHSA-69x3-g4r3-p962
Analysis Report: docs/reports/nebula_upgrade_analysis.md
Version Test Results: docs/reports/nebula_upgrade_analysis.md

2.8 KiB Raw Blame History