Quick Start
Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.5.16/manifests/install.yamlHA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.5.16/manifests/ha/install.yamlBreaking changes
As part of the fix for GHSA-2q5c-qw9c-fmvq, the API will now return "Unauthorized" instead of "Not found" if an Application does not exist. This change prevents leaking the existence or non-existence of Applications to unauthorized parties.
This change may break applications which depend on "Not found" responses from the Argo CD API's application endpoints.
Workarounds and potential long-term solutions will be discussed on #13000.
The argocd app create CLI command for versions >= 2.5.0-rc1 and before this security patch is one such application which was affected. (See upgrade notes for details on that issue.)
Release signatures
All Argo CD container images and CLI binaries are signed by cosign. See the documentation on how to verify the signatures.
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
-----END PUBLIC KEY-----Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changes
This release includes 1 contributions from 1 contributors with 0 features and 0 bug fixes.
Security (1)
- MODERATE: Authenticated but unauthorized users may enumerate Application names via the API (GHSA-2q5c-qw9c-fmvq)