chore(deps): update module github.com/harvester/harvester to v1.8.0 [security] (master)#24
Open
renovate[bot] wants to merge 1 commit into
Conversation
…security] Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.5.1→v1.8.0Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS
CVE-2025-71261 / GHSA-pgh9-mpwc-8jjf / GO-2026-5538
More information
Details
Impact
A vulnerability has been identified in the SUSE Virtualization (Harvester) Rancher integration mechanism where by default the registration client uses an insecure TLS option that fails to verify the remote server’s certificate. This security gap could allow the execution of a man-in-the-middle (MitM) attack against SUSE Virtualization.
An attacker with network-level access between the SUSE Virtualization and Rancher Manager could interfere with the TLS handshake and abuse it to bypass TLS as a security control. The registration client could be misled to send cluster registration requests to an impersonated remote service. Additionally, because the system processes response payloads without performing size validation, an attacker could induce a memory buffer overflow, leading to a potential crash of the SUSE Virtualization registration controller.
Note that this vulnerability only affects the cluster registration configuration (the
cluster-registration-urlsetting) which is distinct from the secured configuration used to maintain operational connectivity between SUSE Virtualization and Rancher Manager, as well as between the manager and hosted downstream clusters.Please consult the associated MITRE ATT&CK - Technique - Adversary-in-the-Middle and MITRE ATT&CK - Technique - Endpoint Denial of Service: Application or System Exploitation for further information about this category of attack.
Patches
This vulnerability is addressed by updating the registration client’s default behaviour to validate the certificate presented by the remote server against the list of trusted system root certificate authority (CA) and those defined by the
additional-casetting.Patched versions of SUSE Virtualization include releases v1.8.0 or newer.
Workarounds
If developers can't upgrade to a fixed version, ensure that only authorized cluster administrators can access and modify the
cluster-registration-urlsetting.Resources
If there are any questions or comments about this advisory:
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS in github.com/harvester/harvester
CVE-2025-71261 / GHSA-pgh9-mpwc-8jjf / GO-2026-5538
More information
Details
Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS in github.com/harvester/harvester
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Release Notes
harvester/harvester (github.com/harvester/harvester)
v1.8.0Compare Source
Harvester v1.8.0 Release Notes
This release introduces several features, enhancements, and bug fixes that improve system quality and the overall user experience. The documentation is available at https://docs.harvesterhci.io/v1.8.
The Harvester team appreciates your contributions and looks forward to receiving feedback regarding this release.
Downloads
AMD64
Full ISO
💿 https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-amd64.iso
📁 https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-vmlinuz-amd64
📁 https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-initrd-amd64
📁 https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-rootfs-amd64.squashfs
✅ https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-amd64.sha512
📝 https://releases.rancher.com/harvester/v1.8.0/version.yaml
Net Install ISO
💿 https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-amd64-net-install.iso
📝 https://docs.harvesterhci.io/v1.8/install/net-install/
ARM64
💿 https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-arm64.iso
📁 https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-vmlinuz-arm64
📁 https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-initrd-arm64
📁 https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-rootfs-arm64.squashfs
✅ https://releases.rancher.com/harvester/v1.8.0/harvester-v1.8.0-arm64.sha512
📝 https://releases.rancher.com/harvester/v1.8.0/version-arm64.yaml
Installation
Harvester can be installed using the ISO image, a bootable USB drive, and PXE boot. For more information, see the Installation section of the documentation.
Upgrade
Harvester only allows upgrades from supported versions. For more information about upgrade paths and procedures, see Upgrading Harvester.
Highlights
In-Place Storage Live Migration
In Harvester v1.8.0, you can seamlessly migrate a running VM's disks (or a subset of them) between different storage providers, such as Longhorn or externally supported CSI volumes without any downtime. The guest OS remains completely unaware of the underlying storage transfer, ensuring minimal disruption to active workloads. This new capability includes full UI and API support with real-time progress tracking, as well as built-in safety mechanisms that verify destination capacity and temporarily block conflicting operations (like host-to-host live migrations) until the storage transfer is complete.
Demo | Documentation | GitHub issue
Live CD-ROM Insertion & Ejection
Harvester v1.8.0 introduces dynamic management for CD-ROM volumes, allowing users to insert or eject ISO images while a VM is running. While adding or removing the CD-ROM device itself still typically necessitates a reboot, swapping the media within that device is now seamless. Additionally, VMs with mounted CD-ROMs are live migratable.
Demo | Documentation | GitHub issue
Optimized Longhorn Resource Reservations
Harvester v1.8.0 introduces a new configuration setting that allows users to manually adjust Longhorn Instance Manager resource reservations. For clusters primarily utilizing third-party storage solutions, users can now reduce the default CPU and memory allocations reserved for Longhorn. This manual optimization helps improve overall cluster efficiency by freeing up resources for other workloads in environments where Longhorn is only required for core system functionalities, such as image management and system upgrades.
Demo | Documentation | GitHub issue
Pod Security Admission (PSA) Support
Harvester v1.8.0 supports Pod Security Admission (PSA) to enforce Pod Security Standards (PSS). Built-in Kubernetes that validates and mutates the admission policies are used to enforce these standards on Harvester's system namespaces. This implementation guarantees that system-specific workloads remain unaffected and ensures a seamless upgrade path from non-PSA to PSA-enabled images. User namespaces remain unenforced, by default, preserving the flexibility for users to define their own security levels or independently deploy external policy engines (such as Kyverno, OPA Gatekeeper, or Kubewarden) without bloating the core upgrade path.
Demo | Documentation | GitHub issue
PVC Backup and Restore via harvester-csi-driver for Guest Cluster Workloads
Harvester v1.8.0 enables backup and restore operations for guest cluster workloads using the harvester-csi-driver. This allows users to protect their workload data by creating backups of Persistent Volume Claims (PVCs) in the guest cluster, which are then stored in the underlying storage provider (now only support Longhorn) of the Harvester cluster. Users can easily restore these backups to recover from data loss or to migrate workloads between clusters, providing enhanced data protection for applications running within Harvester-managed guest clusters.
Demo | Documentation | GitHub issue
VM Pending Restart Notifications
Harvester v1.8.0 UI now proactively alerts users when a Virtual Machine requires a restart to fully apply configuration changes, such as interface binding updates or specific CPU/memory modifications. The dashboard continuously polls the VM's status conditions and displays a "Pending Restart" indicator when necessary. This prevents unapplied changes from silently blocking future live updates or resource hotplug operations, ensuring users can promptly resolve the state using the standard UI restart action.
Demo | Documentation | GitHub issue
Configurable VM CPU Models for Live Migration
Harvester v1.8.0 addresses an issue where live migrating VMs between hosts with different CPU generations (for example, AMD Ryzen 5th Gen to 3rd Gen) would fail due to strict CPU feature-matching checks by KubeVirt/libvirt. Users can now explicitly define a specific CPU model (for example, IvyBridge, host-model, or default) for a VM during creation via the Harvester UI or Terraform provider. This ensures the VM is only scheduled and migrated across nodes that support the selected baseline CPU model, enabling reliable backward compatibility and successful live migrations in mixed-hardware clusters.
Demo | Documentation | GitHub issue
Interactive VPC Network Topology
In Harvester v1.8.0, a dynamic visual topology diagram is added to the VPC detail page, providing a clear representation of logical switches and network relationships. The interactive map displays the complete hierarchy from VPCs and Subnets to Overlay Networks and individual VMs while accurately reflecting VM power states by graying out stopped or paused instances. Users can easily navigate complex network architectures using pan and zoom controls, legend toggles for filtering node types, click-to-highlight node relationships, and clickable VPC peering links that seamlessly redirect to associated topology pages.
Demo | Documentation | GitHub issue
Fine-Grained Harvester RBAC Roles for Rancher
Harvester v1.8.0 introduces Harvester-specific Role-Based Access Control (RBAC) roles within Rancher, fully enforced at the backend API-level. This allows administrators to assign highly specific, granular permissions based on user needs. New capabilities include read-only roles for viewing VM definitions and monitoring data, specialized roles for non-admins to manage hardware devices (PCI, USB, vGPU), and scoped "VM Admin" roles restricted to editing VMs within specific namespaces without granting access to underlying infrastructure like images or networks. Role permissions are additive, and for security purposes, sensitive cluster-level configurations, such as logging facilities remain strictly editable only by cluster admins, with non-admins restricted to read-only access.
Demo | Documentation | GitHub issue
Layer 3 Underlay for Software-Defined Cluster Networks
Harvester v1.8.0 introduces Layer 3 connectivity support for software-defined cluster networks to act as a dedicated underlay for Kube-OVN. Previously, inter-node VM traffic was forced over the management interface (mgmt-bo), causing potential bandwidth overhead and a lack of traffic segregation. With the latest udpate, users can now assign a specific IP range to a custom cluster network, which Harvester uses to automatically allocate IPs across nodes and provision dedicated OVS bridges. This enables complete segregation of VM data traffic from management traffic, improving overall network performance, isolation and architectural flexibility.
Demo | Documentation | GitHub issue
SUSE Observability Integration
Harvester v1.8.0 officially supports integration with the SUSE Observability Stack Pack. Harvester clusters can now seamlessly register with SUSE Observability to track core metrics, ensuring reliable data continuity and accurate resource reporting (such as CPU, memory and node size) across cluster upgrades and dynamic scaling operations.
Demo | Documentation | GitHub issue
Stand-alone Upgrade Manager - Experimental
Harvester v1.8.0 decouples the upgrade logic from the core harvester binary into a stand-alone upgrade-manager. This architectural change enables faster delivery and testing of upgrade-related features and bug fixes without waiting for full release cycles. The upgrade lifecycle is now efficiently managed by
components—upgrade-shim(early stage preparation),upgrade-repo(metadata and image hub), andupgrade-manager(custom lifecycle controllers) improving the overall maintainability and upgrade reliability.Demo | Documentation | GitHub issue
Enhanced Device Identification and Native Support for Non-WWN Disks
Harvester v1.8.0 introduces a reworked BlockDevice naming convention that removes the strict requirement for World Wide Names (WWNs). This allows disks without WWNs to be recognized and provisioned seamlessly across Longhorn V1, Longhorn V2, and LVM storage backends. This enhancement significantly streamlines disk attachment, particularly for NVMe devices and other hardware where WWNs may not be available.
Demo | Documentation | GitHub issue
Features
Enhancements
auto-delete-pod-when-volume-detached-unexpectedlysetting #9467Bug Fixes
Pre-drainingwith vm failed to migrate on RKE2 guest cluster #10354Pre-drainingstate to wait vm migration start #10349Known Issuessection inAdvanced > Available Addons > VM Importis not listed in sidenav #10005failed to load harvester config ... strconv.ParseInt: parsing "": invalid syntax#9834View in APIof resource always direct to empty page #9614Pending migration, theabortMigrationaction is not allowed #9435.in the hostDevices.name #9399natOutgoingwith default valuefalse#8861network.harvesterhci.io/mtu-source-vcAnnotation Not Cleaned Up When Cluster Network Configuration Deleted #8783context deadline exceededis observed when creating schedulevmbackup if the NFS server is down #6903ls -all /usr/lib/systemd/system/elemental-*-*.service) #5945rancher-monitoringin Harvester for New User Creation, not providing correct URL path forinvite#5298Others
harvester-cloud-provider:0.2.1100with Rancher v2.14.0-alpha3 w/ Harvester master-27fbcfa8-head, w/ 1.8.0-dev Harvester UI Extension -> Pool LoadBalancers Missing Annotations #10059Known Issues
This section includes only issues identified before the release date. For information about all issues associated with v1.8.0, see this page.
run on all available nodes#9142Security Fixes for Harvester Vulnerabilities
This release addresses the following Harvester security issues:
Deprecations and Removals
Legacy BIOS Booting
Support for legacy BIOS booting is removed in v1.8.0. Existing Harvester clusters that use this boot mode will continue to function, but upgrading to later versions may require re-installation in UEFI mode. To avoid issues and disruptions, use UEFI in new installations.
Component Versions
Configuration
📅 Schedule: (in timezone Asia/Taipei)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.