Skip to content

chore(deps): update module github.com/harvester/harvester to v1.6.1 [security] (v1.7)#210

Open
renovate[bot] wants to merge 1 commit into
v1.7from
renovate/v1.7-go-github.com-harvester-harvester-vulnerability
Open

chore(deps): update module github.com/harvester/harvester to v1.6.1 [security] (v1.7)#210
renovate[bot] wants to merge 1 commit into
v1.7from
renovate/v1.7-go-github.com-harvester-harvester-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/harvester/harvester v1.6.0v1.6.1 age confidence

Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS

CVE-2025-71261 / GHSA-pgh9-mpwc-8jjf / GO-2026-5538

More information

Details

Impact

A vulnerability has been identified in the SUSE Virtualization (Harvester) Rancher integration mechanism where by default the registration client uses an insecure TLS option that fails to verify the remote server’s certificate. This security gap could allow the execution of a man-in-the-middle (MitM) attack against SUSE Virtualization.

An attacker with network-level access between the SUSE Virtualization and Rancher Manager could interfere with the TLS handshake and abuse it to bypass TLS as a security control. The registration client could be misled to send cluster registration requests to an impersonated remote service. Additionally, because the system processes response payloads without performing size validation, an attacker could induce a memory buffer overflow, leading to a potential crash of the SUSE Virtualization registration controller.

Note that this vulnerability only affects the cluster registration configuration (the cluster-registration-url setting) which is distinct from the secured configuration used to maintain operational connectivity between SUSE Virtualization and Rancher Manager, as well as between the manager and hosted downstream clusters.

Please consult the associated MITRE ATT&CK - Technique - Adversary-in-the-Middle and MITRE ATT&CK - Technique - Endpoint Denial of Service: Application or System Exploitation for further information about this category of attack.

Patches

This vulnerability is addressed by updating the registration client’s default behaviour to validate the certificate presented by the remote server against the list of trusted system root certificate authority (CA) and those defined by the additional-ca setting.

Patched versions of SUSE Virtualization include releases v1.8.0 or newer.

Workarounds

If developers can't upgrade to a fixed version, ensure that only authorized cluster administrators can access and modify the cluster-registration-url setting.

Resources

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS in github.com/harvester/harvester

CVE-2025-71261 / GHSA-pgh9-mpwc-8jjf / GO-2026-5538

More information

Details

Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS in github.com/harvester/harvester

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Release Notes

harvester/harvester (github.com/harvester/harvester)

v1.6.1

Compare Source

Harvester v1.6.1 Release Notes

This release introduces several features, enhancements, and bug fixes that improve system quality and the overall user experience. The documentation is available at https://docs.harvesterhci.io/v1.6.

The Harvester team appreciates your contributions and looks forward to receiving feedback regarding this release.

Downloads

AMD64
Full ISO

💿 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-amd64.iso

📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-vmlinuz-amd64

📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-initrd-amd64

📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-rootfs-amd64.squashfs

https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-amd64.sha512

📝 https://releases.rancher.com/harvester/v1.6.1/version.yaml

Net Install ISO

💿 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-amd64-net-install.iso

📝 https://docs.harvesterhci.io/v1.6/install/net-install/

ARM64

💿 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-arm64.iso

📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-vmlinuz-arm64

📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-initrd-arm64

📁 https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-rootfs-arm64.squashfs

https://releases.rancher.com/harvester/v1.6.1/harvester-v1.6.1-arm64.sha512

📝 https://releases.rancher.com/harvester/v1.6.1/version-arm64.yaml

Installation

Harvester can be installed using the ISO image, a bootable USB drive, and PXE boot. A net install ISO image, which contains only the core OS components, is also now available. For more information, see the Installation section of the documentation.

[!IMPORTANT]
The Harvester v1.6.1 installer checks if the hardware meets the minimum requirements for production use. If any of the checks fail, installation is stopped and warnings are printed to the system console.

You can disable this behavior during iPXE installation (for testing purposes) by adding the kernel parameter harvester.install.skipchecks=true when you boot the system. For more information, see Useful Kernel Parameters.

Upgrades

Harvester only allows upgrades from supported versions. For more information about upgrade paths and procedures, see Upgrading Harvester.

Enhancements

  • [backport v1.6] [ENHANCEMENT] Review the volume detacher behavior #​9222
  • [backport v1.6] [ENHANCEMENT] Support reserved memory in terraform-provider-rancher2 and docker-machine-driver-harvester #​8766

Bug Fixes

  • [backport v1.6] [BUG] VM Image upload issue with 3rd-party storage #​9314
  • [backport v1.6] [BUG] v1.6.0-rc6 Cluster Network Config aka Vlan Config for Cluster Network, it's vlan status upon reboot becomes bad #​9256
  • [backport v1.6] [BUG] Harvester CDI backend crashes with OOM when HTTP server doesn't support range requests #​9249
  • [backport v1.6] [BUG] PCI Passthrough VMs Will Not Boot with Default Harvester Settings in 1.6.0 #​9244
  • [backport v1.6] [BUG] StorageClass CDI validator miss storage class parameter #​9192
  • [BUG] RKE2 Pool & DHCP Guest Cluster LBs Not Working on Harvester v1.6-b192e41f-head + Rancher v2.12.2-alpha4 #​9183
  • [backport v1.6] [BUG] Fail to create VM with L2VlanNetwork due to "Masquerade interface only implemented with pod network" #​9166
  • [backport v1.6] [BUG] Inherit mac address from enslaved interface for mgmt #​9157
  • [backport v1.6] [BUG] Network setup error during upgrade from v1.5.1 to v1.6.0 #​9121
  • [backport v1.6] [BUG] Panic was observed on loadbalancer-harvester webhook #​9106
  • [backport v1.6] [BUG] Data Disk dropdown selects the wrong disk #​9049
  • [backport v1.6] [BUG] Existing status conditions are not updated #​9038
  • [BUG] ui-index and ui-plugin-index settings should use release-harvester-v1.6 #​8993
  • [backport v1.6] [BUG] VM menu item prompt upward display truncated, can't click on some vm operation button #​8960
  • [backport v1.6] [BUG] Deleting a VM Network on mgmt cluster removes the mgmt vlan causing Harvester node to lose connectivity #​8957
  • [backport v1.6] [BUG][UI] Soft reboot button in VM VNC console not work #​8956
  • [BUG] Unable to select upgrade version on Harvester upgrade dashboard from Rancher v2.12.0 #​8952
  • [BUG] Can't add member to project in Harvester v1.6.0-rc6 on Rancher v2.12.0 with UI extension v1.6.0-rc6 #​8942
  • [BUG] Rancher v2.12.0 w/ Harvester v1.6.0-rc6 w/ Harvester UI Extension v1.6.0-rc6 Can't Add Cluster Members to imported Harvester Cluster #​8923
  • [BUG] Can't add volume to vm in Harvester from Rancher v2.12.0 integrate mode, available volume is hidden beneath the panel #​8885
  • [BUG] Can't migrate vm in Harvester from Rancher v2.12.0 integrate mode, no available target node in the list #​8884
  • [BUG] Unable to move namespace to another project on Rancher 2.12.0 #​8851
  • [backport v1.6] [BUG] Can't add volume, delete and backup vm when vm enabled cpu pinning while cpu manager is disabled #​8834

Tasks

  • [backport v1.6] [TASK] Should not disable auto-cleanup-system-generated-snapshot during upgrade #​9046

Others

Known Issues

This section only includes issues that were identified before the release date. For information about all issues associated with v1.6.1, see this page.

  • [BUG] VM Image upload issue with 3rd-party storage #​9313

Components

Component Version
CDI v1.62.0
KubeVirt v1.5.2
Longhorn v1.9.2
Rancher (embedded) v2.12.2
RKE2 v1.33.5
SLE Micro 5.5

Contributors

Thank you to all the contributors that made this release possible.

@​a110605
@​albinsun
@​asc5543
@​asettle
@​brandboat
@​forbesguthrie
@​FrankYang0529
@​ibrokethecloud
@​innobead
@​irishgordo
@​jbrockmeyer
@​jillian-maroket
@​m-ildefons
@​noahgildersleeve
@​rebeccazzzz
@​rrajendran17
@​TachunLin
@​tserong
@​Vicente-Cheng
@​votdev
@​w13915984028
@​WebberHuang1118
@​wheatdog


Configuration

📅 Schedule: (in timezone Asia/Taipei)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

…security]

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate
renovate Bot force-pushed the renovate/v1.7-go-github.com-harvester-harvester-vulnerability branch from eb24bb1 to 98e6ce0 Compare July 17, 2026 09:45
@renovate renovate Bot changed the title chore(deps): update module github.com/harvester/harvester to v1.8.0 [security] (v1.7) chore(deps): update module github.com/harvester/harvester to v1.6.1 [security] (v1.7) Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants