Note
The v0.3.0 release of the Packer plugin SDK contains the following changes which will may affect the downloading of external files such as ISOs used by this plugin.
- Default timeouts have been added to the GitGetter, HgGetter, S3Getter, and GcsGetter getters to mitigate against resource exhaustion when calling out to external command line applications.
- Support for the X-Terraform-Get header has been disabled to mitigate against protocol switching, endless redirect, and configuration bypass abuse of custom HTTP response header processing.
- The default go-getter client has been updated to prevent arbitrary host access via go-getter's path traversal, symlink processing, and command injection flaws.
See Security Options for more details.
What's Changed
Bug fixesπ§βπ§ π
- Bump packer-plugin-sdk to v0.3.0 to address vulnerabilities in go-getter, as described in
HCSEC-2022-13.
Full Changelog: v1.0.4...v1.0.5