chore(deps): update module github.com/harvester/harvester to v1.6.1 [security] (v1.7)#210
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
…security] Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
Bot
force-pushed
the
renovate/v1.7-go-github.com-harvester-harvester-vulnerability
branch
from
July 17, 2026 09:45
eb24bb1 to
98e6ce0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.6.0→v1.6.1Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS
CVE-2025-71261 / GHSA-pgh9-mpwc-8jjf / GO-2026-5538
More information
Details
Impact
A vulnerability has been identified in the SUSE Virtualization (Harvester) Rancher integration mechanism where by default the registration client uses an insecure TLS option that fails to verify the remote server’s certificate. This security gap could allow the execution of a man-in-the-middle (MitM) attack against SUSE Virtualization.
An attacker with network-level access between the SUSE Virtualization and Rancher Manager could interfere with the TLS handshake and abuse it to bypass TLS as a security control. The registration client could be misled to send cluster registration requests to an impersonated remote service. Additionally, because the system processes response payloads without performing size validation, an attacker could induce a memory buffer overflow, leading to a potential crash of the SUSE Virtualization registration controller.
Note that this vulnerability only affects the cluster registration configuration (the
cluster-registration-urlsetting) which is distinct from the secured configuration used to maintain operational connectivity between SUSE Virtualization and Rancher Manager, as well as between the manager and hosted downstream clusters.Please consult the associated MITRE ATT&CK - Technique - Adversary-in-the-Middle and MITRE ATT&CK - Technique - Endpoint Denial of Service: Application or System Exploitation for further information about this category of attack.
Patches
This vulnerability is addressed by updating the registration client’s default behaviour to validate the certificate presented by the remote server against the list of trusted system root certificate authority (CA) and those defined by the
additional-casetting.Patched versions of SUSE Virtualization include releases v1.8.0 or newer.
Workarounds
If developers can't upgrade to a fixed version, ensure that only authorized cluster administrators can access and modify the
cluster-registration-urlsetting.Resources
If there are any questions or comments about this advisory:
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS in github.com/harvester/harvester
CVE-2025-71261 / GHSA-pgh9-mpwc-8jjf / GO-2026-5538
More information
Details
Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS in github.com/harvester/harvester
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Release Notes
harvester/harvester (github.com/harvester/harvester)
v1.6.1Compare Source
Harvester v1.6.1 Release Notes
This release introduces several features, enhancements, and bug fixes that improve system quality and the overall user experience. The documentation is available at https://docs.harvesterhci.io/v1.6.
The Harvester team appreciates your contributions and looks forward to receiving feedback regarding this release.
Downloads
AMD64
Full ISO
💿 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-amd64.iso
📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-vmlinuz-amd64
📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-initrd-amd64
📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-rootfs-amd64.squashfs
✅ https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-amd64.sha512
📝 https://releases.rancher.com/harvester/v1.6.1/version.yaml
Net Install ISO
💿 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-amd64-net-install.iso
📝 https://docs.harvesterhci.io/v1.6/install/net-install/
ARM64
💿 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-arm64.iso
📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-vmlinuz-arm64
📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-initrd-arm64
📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-rootfs-arm64.squashfs
✅ https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-arm64.sha512
📝 https://releases.rancher.com/harvester/v1.6.1/version-arm64.yaml
Installation
Harvester can be installed using the ISO image, a bootable USB drive, and PXE boot. A net install ISO image, which contains only the core OS components, is also now available. For more information, see the Installation section of the documentation.
Upgrades
Harvester only allows upgrades from supported versions. For more information about upgrade paths and procedures, see Upgrading Harvester.
Enhancements
Bug Fixes
disabled#8834Tasks
Others
Known Issues
This section only includes issues that were identified before the release date. For information about all issues associated with v1.6.1, see this page.
Components
Contributors
Thank you to all the contributors that made this release possible.
@a110605
@albinsun
@asc5543
@asettle
@brandboat
@forbesguthrie
@FrankYang0529
@ibrokethecloud
@innobead
@irishgordo
@jbrockmeyer
@jillian-maroket
@m-ildefons
@noahgildersleeve
@rebeccazzzz
@rrajendran17
@TachunLin
@tserong
@Vicente-Cheng
@votdev
@w13915984028
@WebberHuang1118
@wheatdog
Configuration
📅 Schedule: (in timezone Asia/Taipei)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.