Fix: Patch CVE-2024-45337 (crypto/ssh Authorization Bypass) and stabilize controller-runtime envtest failure #5244

UJESH2K · 2025-10-22T18:17:45Z

This PR fixes multiple issues across ChaosCenter:

Security: Patched CVE-2024-45337 in Go’s crypto/ssh.

Kubernetes/envtest: Controller tests now start reliably on Windows and Linux.

ChaosHub GitOps: Fixed broken cloning of remote charts after GitHub renamed default branch to main.

Code hygiene: Fixed fmt/logging errors and aligned Go module versions.

🧩 Files Changed & Updates

1️⃣ Kubernetes / envtest / controller-runtime

chaoscenter/event-tracker/controllers/suite_test.go

Added nil checks and deferred cleanup for envtest.Environment and ControlPlane.
Fixed AfterSuite nil-pointer panics.

chaoscenter/event-tracker/controllers/envtest_helper.go

Fixed PATH resolution for kubebuilder binaries (etcd, kube-apiserver, kubectl) on Windows.

chaoscenter/event-tracker/deployments/k8s/deployment.yaml

Added deployment spec with replicas, image, environment variables.

chaoscenter/event-tracker/deployments/k8s/service.yaml

Added ClusterIP service exposing event-tracker app.

chaoscenter/event-tracker/deployments/k8s/configmap.yaml

Added default configuration for ports, URLs, and other environment variables.

chaoscenter/event-tracker/deployments/k8s/secret.yaml

Added placeholders for sensitive environment variables.

chaoscenter/event-tracker/Makefile

Added build/run shortcuts.

chaoscenter/event-tracker/go.mod / go.sum

Updated Go version and synced dependencies.

2️⃣ ChaosHub / GitOps fixes

pkg/chaoshub/ops/gitops.go

Patched getChaosChartRepo() and GitClone() to detect main branch if refs/tags/master missing.
Added error handling for network or missing tag errors.

pkg/chaoshub/ops/gitops_test.go

Updated cleanup functions (clearCloneRepository()) to handle Windows-specific .git/objects/pack/tmp_pack_* locking issues.

pkg/chaoshub/handler/handler_test.go

Adjusted test cases for TestDownloadRemoteHub, TestSyncRemoteRepo, TestGetChartsData to match updated GitClone logic.
Optional / Minor Touches

pkg/chaoshub/handler/handler.go (if handler logic touched for sync fixes)

pkg/chaoshub/ops/gitops_utils.go (helper for branch fallback)

go.mod / go.sum updated dependencies (like go-git) if applicable

3️⃣ Internal Utility / Config / Logging

pkg/config/ and pkg/log/

Small fixes to align logging and error handling with Go best practices.
Adjusted environment variable loading for Kubernetes deployment consistency.

🧪 Verification

Build and tests passed:
go build ./...
go test ./... -v
SSH handshake and authorization flows verified with patched crypto/ssh.
Envtest control plane starts/stops reliably on Windows and Linux.
ChaosHub tests pass; cloning remote charts works with fallback to main.
Static analysis via GoSec, govulncheck, and CodeQL shows no remaining vulnerabilities.

✅ Checklist

CVE-2024-45337 patched
fmt/logging issues fixed
Envtest / controller-runtime fixed for Windows & Linux
ChaosHub GitOps fixes applied
Go modules tidied and synced across submodules
All tests pass (go test ./...)
No new dependencies introduced
Code reviewed for backward compatibility

🧩 Fixes

Fixes: #5243
Resolves: CVE-2024-45337

Jonsy13 · 2025-10-23T10:12:47Z

This PR looks good, Please update Go version in Dockerfile & also in CI build workflows.
I see, you have raised fixes for other vulnerabilities,
Lets merge this PR first with go-version pinned to 1.24.0 in all places.

Once merged, Then you can update other PRs & remove go-version changes from them.

UJESH2K · 2025-10-23T15:57:57Z

thanks for the feedback (●'◡'●)
will change accordingly 👍

Signed-off-by: UJESH2K <[email protected]>

Signed-off-by: UJESH KUMAR YADAV <[email protected]>

UJESH2K · 2025-10-23T21:33:57Z

Hi @Jonsy13 👋

I noticed that some of the Dockerfiles (like in authentication and event-tracker) currently fail to build because the WORKDIR or go.mod paths don’t seem to align correctly with the project structure.

This issue isn’t related to the Go version update (which this PR addresses), but I wanted to highlight it in case it needs a separate fix.

Would you like me to open a new issue for correcting the Docker build paths across these components?

Thanks! 😊

Jonsy13 · 2025-10-24T06:49:16Z

Hi @Jonsy13 👋

I noticed that some of the Dockerfiles (like in authentication and event-tracker) currently fail to build because the WORKDIR or go.mod paths don’t seem to align correctly with the project structure.

This issue isn’t related to the Go version update (which this PR addresses), but I wanted to highlight it in case it needs a separate fix.

Would you like me to open a new issue for correcting the Docker build paths across these components?

Thanks! 😊

Yes now it looks good @UJESH2K ! The builds are passing in actions, trivy is failing but that is due to different vulnerabilities.

…lize controller-runtime envtest failure (litmuschaos#5244) * Fix: resolved vulnerability issues in server Signed-off-by: UJESH2K <[email protected]> * changed goversion to 1.24.0 in every file Signed-off-by: UJESH KUMAR YADAV <[email protected]> --------- Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]>

* Fix JWT module version and checksum issue Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * docs: add missing GCP experiments to documentation table (#5239) Signed-off-by: Gurupriyan D A <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * docs: Add AWS SSM Chaos experiments to AWS experiments table (#5240) * docs: Add AWS SSM Chaos experiments to AWS experiments table Add AWS SSM Chaos By ID and AWS SSM Chaos By Tag experiments Fixes #5237 Signed-off-by: Coder-pro1 <[email protected]> * Fix AWS SSM Chaos links in contents.md Signed-off-by: Seneviratne N S <[email protected]> --------- Signed-off-by: Coder-pro1 <[email protected]> Signed-off-by: Seneviratne N S <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Update go.mod Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Updated Runner Type for Ubuntu to latest under github-pages build pipeline (#5249) * Added fixes Signed-off-by: git <[email protected]> * Added fixes Signed-off-by: git <[email protected]> --------- Signed-off-by: git <[email protected]> Co-authored-by: git <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Fix: Patch CVE-2024-45337 (crypto/ssh Authorization Bypass) and stabilize controller-runtime envtest failure (#5244) * Fix: resolved vulnerability issues in server Signed-off-by: UJESH2K <[email protected]> * changed goversion to 1.24.0 in every file Signed-off-by: UJESH KUMAR YADAV <[email protected]> --------- Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix(UI): update delete command in Disable Chaos Infrastructure popup (#5253) (#5261) - Corrected command syntax to use commas between resources. - Kept namespace dynamic using ${chaosInfrastructureNamespace}. - Verified in UI. Signed-off-by: Devank Gupta <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-2025-22868 (#5233) * fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-2025-22868 Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * chore: update Go version to 1.24.0 in go.mod, Dockerfile, and CI workflow Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: use stable golang:1.24.0-bookworm base image in Dockerfile Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * 1.25 go version Signed-off-by: UJESH KUMAR YADAV <[email protected]> * golang.org/x/crypto v0.35.0 go version Signed-off-by: UJESH KUMAR YADAV <[email protected]> * golang.org/x/crypto v0.35.0 go version and 1.24 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed docker Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed docker Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Temporary commit before rebase Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Changed trivy to v2 and authentication goversion to 1.24.0 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Revert Trivy v2 change Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed build.yml from 1.24 to 1.24.0 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * removed trivy version mismatch Signed-off-by: UJESH KUMAR YADAV <[email protected]> * go mod tidy Signed-off-by: UJESH KUMAR YADAV <[email protected]> --------- Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Update go.mod Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Update go.mod Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fixed name issue (#5250) Signed-off-by: VIDHITTS <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Fix CVE-2025-22869: Go runtime Denial of Service vulnerability (#5236) * fix[5200]: Namespace Compromise via hostPID (#5201) * fix: hostPID set to false Signed-off-by: zyue110026 <[email protected]> * fix: hostPID set to false Signed-off-by: zyue110026 <[email protected]> --------- Signed-off-by: zyue110026 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: Potential Denial of Service via unrestricted CPU/memory and root user execution (#5203) * fix: hostPID set to false Signed-off-by: zyue110026 <[email protected]> * fix: hostPID set to false Signed-off-by: zyue110026 <[email protected]> * fix: Potential Denial of Service via unrestricted CPU/memory and root user execution Signed-off-by: zyue110026 <[email protected]> * fix: Potential Denial of Service via unrestricted CPU/memory and root user execution Signed-off-by: zyue110026 <[email protected]> * fix: Potential Denial of Service via unrestricted CPU/memory and root user execution Signed-off-by: zyue110026 <[email protected]> --------- Signed-off-by: zyue110026 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: [5167]: updated probe fetching logic in a fault (#5199) * feat: [5167]: updated probe fetching logic in a fault Signed-off-by: Amit Kumar Das <[email protected]> * feat: [5167]: fixed go fmt Signed-off-by: Amit Kumar Das <[email protected]> --------- Signed-off-by: Amit Kumar Das <[email protected]> Co-authored-by: Shubham Chaudhary <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Update Polices (#5186) * update: governance Signed-off-by: PriteshKiri <[email protected]> * update: code of conduct Signed-off-by: PriteshKiri <[email protected]> * update: contribution guide Signed-off-by: PriteshKiri <[email protected]> * chore: updated community meetings content in Readme Signed-off-by: PriteshKiri <[email protected]> * fix: community meeting form link Signed-off-by: PriteshKiri <[email protected]> --------- Signed-off-by: PriteshKiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Removes hardcoded namespaces for K8s manifests (#5223) Signed-off-by: Bartlomiej Gmerek <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Ensure SERVER_ADDR includes scheme on re-download manifestFix server addr (#5213) * Ensure SERVER_ADDR includes scheme on re-download manifest Signed-off-by: UJESH2K <[email protected]> * Ensure SERVER_ADDR includes scheme on re-download manifest Signed-off-by: UJESH2K <[email protected]> --------- Signed-off-by: UJESH2K <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: resolve missing experiment pod logs issue (#5207) Fixed missing experiment pod logs by updating relevant entities and components. Updated workflowRun entity, CustomStepLog controller, and ExperimentRunDetailsPanel to properly handle and display experiment pod logs. Signed-off-by: Harshit Panchbhai <[email protected]> Co-authored-by: Amit Kumar Das <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Added fixes (#5227) Co-authored-by: git <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * chore(3.22.0): Add the installation manifest for 3.22.0 version (#5229) Signed-off-by: Shubham Chaudhary <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Fixed conversion issues and added formatting improvements Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed all go version to 1.24.0 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Delete test-chaoscenter-mods.ps1 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Delete test-chaoscenter-mods.ps1 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Update Dockerfile Signed-off-by: UJESH KUMAR YADAV <[email protected]> --------- Signed-off-by: zyue110026 <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> Signed-off-by: Amit Kumar Das <[email protected]> Signed-off-by: PriteshKiri <[email protected]> Signed-off-by: Bartlomiej Gmerek <[email protected]> Signed-off-by: UJESH2K <[email protected]> Signed-off-by: Harshit Panchbhai <[email protected]> Signed-off-by: Shubham Chaudhary <[email protected]> Co-authored-by: zyue110026 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Amit Kumar Das <[email protected]> Co-authored-by: Shubham Chaudhary <[email protected]> Co-authored-by: Bartlomiej Gmerek <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Co-authored-by: harshit12339 <[email protected]> Co-authored-by: git <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * docs: update footer year of experiment docs to 2025 (#5277) (#5279) Signed-off-by: Umesh Kumar Pal <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: update FAQ and Troubleshooting headings (#5263) (#5276) Signed-off-by: Umesh Kumar Pal <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: Allow chaos probes with same name across different projects (#5241) * Refactor MongoDB index creation for ChaosProbeCollection Signed-off-by: khushi1310 <[email protected]> * fix-Cannot reuse probe name after deletion Signed-off-by: khushi1310 <[email protected]> * Update Go base image version to 1.24.6 Signed-off-by: khushi1310 <[email protected]> * Update Go version to 1.24 Signed-off-by: khushi1310 <[email protected]> * reverting go version Signed-off-by: khushi1310 <[email protected]> * reverting go version Signed-off-by: khushi1310 <[email protected]> --------- Signed-off-by: khushi1310 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Sarthak Jain <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Show tick icon for completed experiments update (#5260) * Update StatusHeatMap.tsx Signed-off-by: khushi Tiwari <[email protected]> Signed-off-by: khushi1310 <[email protected]> * Update StatusHeatMap.module.scss Signed-off-by: khushi Tiwari <[email protected]> Signed-off-by: khushi1310 <[email protected]> --------- Signed-off-by: khushi1310 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fixed_issue (#5259) Signed-off-by: khushi1310 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: [4998]: added tolerations in chaos engine spec when configured from advanced options (#5271) Signed-off-by: Amit Kumar Das <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix(UI): update delete command in Disable Chaos Infrastructure popup (#5253) (#5274) - Corrected command syntax to use commas between resources. - Kept namespace dynamic using ${chaosInfrastructureNamespace}. - Verified in UI. Signed-off-by: Devank Gupta <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * go mod tidy to all Signed-off-by: UJESH KUMAR YADAV <[email protected]> * resolving conflicts Signed-off-by: UJESH KUMAR YADAV <[email protected]> --------- Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> Signed-off-by: Gurupriyan D A <[email protected]> Signed-off-by: Coder-pro1 <[email protected]> Signed-off-by: Seneviratne N S <[email protected]> Signed-off-by: git <[email protected]> Signed-off-by: Devank Gupta <[email protected]> Signed-off-by: VIDHITTS <[email protected]> Signed-off-by: zyue110026 <[email protected]> Signed-off-by: Amit Kumar Das <[email protected]> Signed-off-by: PriteshKiri <[email protected]> Signed-off-by: Bartlomiej Gmerek <[email protected]> Signed-off-by: Harshit Panchbhai <[email protected]> Signed-off-by: Shubham Chaudhary <[email protected]> Signed-off-by: Umesh Kumar Pal <[email protected]> Signed-off-by: khushi1310 <[email protected]> Co-authored-by: Gurupriyan D A <[email protected]> Co-authored-by: Seneviratne N S <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Co-authored-by: git <[email protected]> Co-authored-by: Devank Gupta <[email protected]> Co-authored-by: Vidhit T S <[email protected]> Co-authored-by: zyue110026 <[email protected]> Co-authored-by: Amit Kumar Das <[email protected]> Co-authored-by: Shubham Chaudhary <[email protected]> Co-authored-by: Bartlomiej Gmerek <[email protected]> Co-authored-by: harshit12339 <[email protected]> Co-authored-by: Umesh Pal <[email protected]> Co-authored-by: khushi1310 <[email protected]> Co-authored-by: Sarthak Jain <[email protected]>

* Fix JWT module version and checksum issue Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * docs: add missing GCP experiments to documentation table (litmuschaos#5239) Signed-off-by: Gurupriyan D A <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * docs: Add AWS SSM Chaos experiments to AWS experiments table (litmuschaos#5240) * docs: Add AWS SSM Chaos experiments to AWS experiments table Add AWS SSM Chaos By ID and AWS SSM Chaos By Tag experiments Fixes litmuschaos#5237 Signed-off-by: Coder-pro1 <[email protected]> * Fix AWS SSM Chaos links in contents.md Signed-off-by: Seneviratne N S <[email protected]> --------- Signed-off-by: Coder-pro1 <[email protected]> Signed-off-by: Seneviratne N S <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Update go.mod Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Updated Runner Type for Ubuntu to latest under github-pages build pipeline (litmuschaos#5249) * Added fixes Signed-off-by: git <[email protected]> * Added fixes Signed-off-by: git <[email protected]> --------- Signed-off-by: git <[email protected]> Co-authored-by: git <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Fix: Patch CVE-2024-45337 (crypto/ssh Authorization Bypass) and stabilize controller-runtime envtest failure (litmuschaos#5244) * Fix: resolved vulnerability issues in server Signed-off-by: UJESH2K <[email protected]> * changed goversion to 1.24.0 in every file Signed-off-by: UJESH KUMAR YADAV <[email protected]> --------- Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix(UI): update delete command in Disable Chaos Infrastructure popup (litmuschaos#5253) (litmuschaos#5261) - Corrected command syntax to use commas between resources. - Kept namespace dynamic using ${chaosInfrastructureNamespace}. - Verified in UI. Signed-off-by: Devank Gupta <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-2025-22868 (litmuschaos#5233) * fix(security): upgrade golang.org/x/oauth2 to v0.27.0 to resolve CVE-2025-22868 Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * chore: update Go version to 1.24.0 in go.mod, Dockerfile, and CI workflow Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: use stable golang:1.24.0-bookworm base image in Dockerfile Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * 1.25 go version Signed-off-by: UJESH KUMAR YADAV <[email protected]> * golang.org/x/crypto v0.35.0 go version Signed-off-by: UJESH KUMAR YADAV <[email protected]> * golang.org/x/crypto v0.35.0 go version and 1.24 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed docker Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed docker Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Temporary commit before rebase Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Changed trivy to v2 and authentication goversion to 1.24.0 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Revert Trivy v2 change Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed build.yml from 1.24 to 1.24.0 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * removed trivy version mismatch Signed-off-by: UJESH KUMAR YADAV <[email protected]> * go mod tidy Signed-off-by: UJESH KUMAR YADAV <[email protected]> --------- Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Update go.mod Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Update go.mod Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fixed name issue (litmuschaos#5250) Signed-off-by: VIDHITTS <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Fix CVE-2025-22869: Go runtime Denial of Service vulnerability (litmuschaos#5236) * fix[5200]: Namespace Compromise via hostPID (litmuschaos#5201) * fix: hostPID set to false Signed-off-by: zyue110026 <[email protected]> * fix: hostPID set to false Signed-off-by: zyue110026 <[email protected]> --------- Signed-off-by: zyue110026 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: Potential Denial of Service via unrestricted CPU/memory and root user execution (litmuschaos#5203) * fix: hostPID set to false Signed-off-by: zyue110026 <[email protected]> * fix: hostPID set to false Signed-off-by: zyue110026 <[email protected]> * fix: Potential Denial of Service via unrestricted CPU/memory and root user execution Signed-off-by: zyue110026 <[email protected]> * fix: Potential Denial of Service via unrestricted CPU/memory and root user execution Signed-off-by: zyue110026 <[email protected]> * fix: Potential Denial of Service via unrestricted CPU/memory and root user execution Signed-off-by: zyue110026 <[email protected]> --------- Signed-off-by: zyue110026 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: [5167]: updated probe fetching logic in a fault (litmuschaos#5199) * feat: [5167]: updated probe fetching logic in a fault Signed-off-by: Amit Kumar Das <[email protected]> * feat: [5167]: fixed go fmt Signed-off-by: Amit Kumar Das <[email protected]> --------- Signed-off-by: Amit Kumar Das <[email protected]> Co-authored-by: Shubham Chaudhary <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Update Polices (litmuschaos#5186) * update: governance Signed-off-by: PriteshKiri <[email protected]> * update: code of conduct Signed-off-by: PriteshKiri <[email protected]> * update: contribution guide Signed-off-by: PriteshKiri <[email protected]> * chore: updated community meetings content in Readme Signed-off-by: PriteshKiri <[email protected]> * fix: community meeting form link Signed-off-by: PriteshKiri <[email protected]> --------- Signed-off-by: PriteshKiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Removes hardcoded namespaces for K8s manifests (litmuschaos#5223) Signed-off-by: Bartlomiej Gmerek <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Ensure SERVER_ADDR includes scheme on re-download manifestFix server addr (litmuschaos#5213) * Ensure SERVER_ADDR includes scheme on re-download manifest Signed-off-by: UJESH2K <[email protected]> * Ensure SERVER_ADDR includes scheme on re-download manifest Signed-off-by: UJESH2K <[email protected]> --------- Signed-off-by: UJESH2K <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: resolve missing experiment pod logs issue (litmuschaos#5207) Fixed missing experiment pod logs by updating relevant entities and components. Updated workflowRun entity, CustomStepLog controller, and ExperimentRunDetailsPanel to properly handle and display experiment pod logs. Signed-off-by: Harshit Panchbhai <[email protected]> Co-authored-by: Amit Kumar Das <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Added fixes (litmuschaos#5227) Co-authored-by: git <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * chore(3.22.0): Add the installation manifest for 3.22.0 version (litmuschaos#5229) Signed-off-by: Shubham Chaudhary <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Fixed conversion issues and added formatting improvements Signed-off-by: UJESH KUMAR YADAV <[email protected]> * changed all go version to 1.24.0 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Delete test-chaoscenter-mods.ps1 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Delete test-chaoscenter-mods.ps1 Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Update Dockerfile Signed-off-by: UJESH KUMAR YADAV <[email protected]> --------- Signed-off-by: zyue110026 <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> Signed-off-by: Amit Kumar Das <[email protected]> Signed-off-by: PriteshKiri <[email protected]> Signed-off-by: Bartlomiej Gmerek <[email protected]> Signed-off-by: UJESH2K <[email protected]> Signed-off-by: Harshit Panchbhai <[email protected]> Signed-off-by: Shubham Chaudhary <[email protected]> Co-authored-by: zyue110026 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Amit Kumar Das <[email protected]> Co-authored-by: Shubham Chaudhary <[email protected]> Co-authored-by: Bartlomiej Gmerek <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Co-authored-by: harshit12339 <[email protected]> Co-authored-by: git <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * docs: update footer year of experiment docs to 2025 (litmuschaos#5277) (litmuschaos#5279) Signed-off-by: Umesh Kumar Pal <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: update FAQ and Troubleshooting headings (litmuschaos#5263) (litmuschaos#5276) Signed-off-by: Umesh Kumar Pal <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: Allow chaos probes with same name across different projects (litmuschaos#5241) * Refactor MongoDB index creation for ChaosProbeCollection Signed-off-by: khushi1310 <[email protected]> * fix-Cannot reuse probe name after deletion Signed-off-by: khushi1310 <[email protected]> * Update Go base image version to 1.24.6 Signed-off-by: khushi1310 <[email protected]> * Update Go version to 1.24 Signed-off-by: khushi1310 <[email protected]> * reverting go version Signed-off-by: khushi1310 <[email protected]> * reverting go version Signed-off-by: khushi1310 <[email protected]> --------- Signed-off-by: khushi1310 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Sarthak Jain <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * Show tick icon for completed experiments update (litmuschaos#5260) * Update StatusHeatMap.tsx Signed-off-by: khushi Tiwari <[email protected]> Signed-off-by: khushi1310 <[email protected]> * Update StatusHeatMap.module.scss Signed-off-by: khushi Tiwari <[email protected]> Signed-off-by: khushi1310 <[email protected]> --------- Signed-off-by: khushi1310 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fixed_issue (litmuschaos#5259) Signed-off-by: khushi1310 <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix: [4998]: added tolerations in chaos engine spec when configured from advanced options (litmuschaos#5271) Signed-off-by: Amit Kumar Das <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * fix(UI): update delete command in Disable Chaos Infrastructure popup (litmuschaos#5253) (litmuschaos#5274) - Corrected command syntax to use commas between resources. - Kept namespace dynamic using ${chaosInfrastructureNamespace}. - Verified in UI. Signed-off-by: Devank Gupta <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> * go mod tidy to all Signed-off-by: UJESH KUMAR YADAV <[email protected]> * resolving conflicts Signed-off-by: UJESH KUMAR YADAV <[email protected]> --------- Signed-off-by: UJESH2K <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]> Signed-off-by: Gurupriyan D A <[email protected]> Signed-off-by: Coder-pro1 <[email protected]> Signed-off-by: Seneviratne N S <[email protected]> Signed-off-by: git <[email protected]> Signed-off-by: Devank Gupta <[email protected]> Signed-off-by: VIDHITTS <[email protected]> Signed-off-by: zyue110026 <[email protected]> Signed-off-by: Amit Kumar Das <[email protected]> Signed-off-by: PriteshKiri <[email protected]> Signed-off-by: Bartlomiej Gmerek <[email protected]> Signed-off-by: Harshit Panchbhai <[email protected]> Signed-off-by: Shubham Chaudhary <[email protected]> Signed-off-by: Umesh Kumar Pal <[email protected]> Signed-off-by: khushi1310 <[email protected]> Co-authored-by: Gurupriyan D A <[email protected]> Co-authored-by: Seneviratne N S <[email protected]> Co-authored-by: Pritesh Kiri <[email protected]> Co-authored-by: Vedant Shrotria <[email protected]> Co-authored-by: git <[email protected]> Co-authored-by: Devank Gupta <[email protected]> Co-authored-by: Vidhit T S <[email protected]> Co-authored-by: zyue110026 <[email protected]> Co-authored-by: Amit Kumar Das <[email protected]> Co-authored-by: Shubham Chaudhary <[email protected]> Co-authored-by: Bartlomiej Gmerek <[email protected]> Co-authored-by: harshit12339 <[email protected]> Co-authored-by: Umesh Pal <[email protected]> Co-authored-by: khushi1310 <[email protected]> Co-authored-by: Sarthak Jain <[email protected]> Signed-off-by: UJESH KUMAR YADAV <[email protected]>

UJESH2K force-pushed the vulnerability-fix branch from 2eac1bc to af0d0c8 Compare October 22, 2025 20:11

Fix: resolved vulnerability issues in server

2a911b6

Signed-off-by: UJESH2K <[email protected]>

UJESH2K force-pushed the vulnerability-fix branch from af0d0c8 to 2a911b6 Compare October 23, 2025 16:41

changed goversion to 1.24.0 in every file

89be356

Signed-off-by: UJESH KUMAR YADAV <[email protected]>

Merge branch 'master' into vulnerability-fix

9477d5b

Jonsy13 approved these changes Oct 24, 2025

View reviewed changes

SarthakJain26 approved these changes Oct 24, 2025

View reviewed changes

Jonsy13 merged commit 4d1b6b1 into litmuschaos:master Oct 24, 2025
15 of 19 checks passed

UJESH2K mentioned this pull request Nov 28, 2025

seclog: please fix vulnerability like CVE-2025-22868, CVE-2025-22869, CVE-2024-45337 #5225

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix: Patch CVE-2024-45337 (crypto/ssh Authorization Bypass) and stabilize controller-runtime envtest failure #5244

Fix: Patch CVE-2024-45337 (crypto/ssh Authorization Bypass) and stabilize controller-runtime envtest failure #5244

Uh oh!

UJESH2K commented Oct 22, 2025 •

edited

Loading

Uh oh!

Jonsy13 commented Oct 23, 2025 •

edited

Loading

Uh oh!

UJESH2K commented Oct 23, 2025

Uh oh!

UJESH2K commented Oct 23, 2025

Uh oh!

Jonsy13 commented Oct 24, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Fix: Patch CVE-2024-45337 (crypto/ssh Authorization Bypass) and stabilize controller-runtime envtest failure #5244

Fix: Patch CVE-2024-45337 (crypto/ssh Authorization Bypass) and stabilize controller-runtime envtest failure #5244

Uh oh!

Conversation

UJESH2K commented Oct 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🧩 Files Changed & Updates

1️⃣ Kubernetes / envtest / controller-runtime

2️⃣ ChaosHub / GitOps fixes

3️⃣ Internal Utility / Config / Logging

🧪 Verification

✅ Checklist

🧩 Fixes

Uh oh!

Jonsy13 commented Oct 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

UJESH2K commented Oct 23, 2025

Uh oh!

UJESH2K commented Oct 23, 2025

Uh oh!

Jonsy13 commented Oct 24, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

UJESH2K commented Oct 22, 2025 •

edited

Loading

Jonsy13 commented Oct 23, 2025 •

edited

Loading