Skip to content

ingero-io/ingero

v0.10.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1mo MCP Data & Storage
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 3 known CVEs

Topics

causal-tracing cuda cuda-graphs ebpf gpu gpu-monitoring
+11 more
gpu-observability incident-response kubernetes machine-learning mcp model-context-protocol nvidia observability pytorch sre distributed-tracing

Affected surfaces

auth deps

Summary

AI summary

Fleet-enabled health signal collection and eBPF Python frame walker coverage up to CPython 3.14.

Full changelog

The Fleet-enabled release. ingero agents now push health signals to
a central ingero-fleet control plane over mTLS, consume threshold
policy from Fleet, and receive remediation hints on the same channel. A
new fleet-push mode in the Helm chart turns the whole loop on with a single values flag. Everything continues to
work standalone if you do not deploy Fleet, so existing installations are
unaffected.

This release also ships a batch of correctness and security fixes, including a round of Python frame-walker
improvements that extend in-kernel frame walking across CPython 3.9 through 3.14.

Highlights

Fleet integration

  • Agent-side health signal collector with classification (degraded, unhealthy, recovery) and threshold consumption
    from Fleet.
  • mTLS poller plus remediation sink wired through a stable interface contract at pkg/contract.
  • Helm chart adds a fleet-push mode, DNS rotation on the OTLP push URL, and jitter on the push tick.
  • Retry-After honored on push failures so Fleet can rate-limit cleanly.

eBPF Python frame walker (--py-walker=ebpf)

  • Version coverage extended to CPython 3.9 / 3.10 / 3.11 / 3.12 / 3.13 / 3.14.
  • Walks PEP 684 subinterpreters via the interpreter-next chain.
  • Detects Py_GIL_DISABLED builds and skips BPF walker state push so the userspace walker takes over cleanly.
  • Runtime offset harvester covers distro CPython builds without DWARF.
  • Per-Python-version regression harness and matrix workload added.

Security and hardening

  • Adversarial-review findings addressed across the agent.
  • MCP path hardened against prompt injection via telemetry.
  • Go stdlib and gRPC CVE bumps.
  • PID tracking hardened (fork event delivery, dedup correctness, multi-tracer paths).

Fixes

  • Walker: corrected pyOffsets313 TstateFrame, and FrameCode; added _PyStackRef mask for 3.14.
  • Walker: fall back to /proc/<pid>/exe when the maps scan misses Python.
  • Walker: accept python-minor-equivalent region when the exact path match fails.
  • Walker: surface a counter when read_compact_ascii rejects a non-compact string (previously silent-truncate).
  • Container and trace-all deployment paths (multi-tracer hardening).
  • Health: append cluster_id to the OTLP push URL for piggyback delivery.

Upgrade notes

  • No action required for non-Fleet users; all Fleet plumbing is opt-in.
  • To enable Fleet push, set fleet-push mode in the ingero Helm chart
    and install a matching ingero-fleet v0.10.0 control plane (will become public soon).

Full changelog: https://github.com/ingero-io/ingero/compare/v0.9.2...v0.10.0

Security Fixes

  • Go stdlib and gRPC CVE bumps applied.
  • MCP path hardened against prompt injection via telemetry.
  • PID tracking hardening (fork event delivery, dedup correctness, multi‑tracer paths).
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ingero-io/ingero

Get notified when new releases ship.

Sign up free

About ingero-io/ingero

eBPF-based GPU causal observability agent with MCP server. Traces CUDA Runtime/Driver APIs and host kernel events to build causal chains explaining GPU latency.

All releases →

Related context

Earlier breaking changes

  • v0.17.0 Dropped 'annotate --socket' option from CLI.

Beta — feedback welcome: [email protected]