From 56aca696f57be6b7ece39a35d1977854b8767a41 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 26 Mar 2024 17:11:32 -0500
Subject: [PATCH] =?UTF-8?q?security(deps):=20update=20=F0=9F=9B=A1?=
=?UTF-8?q?=EF=B8=8F=20google.golang.org/protobuf=20to=20v1.33.0=20[securi?=
=?UTF-8?q?ty]=20(#116)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go)
| `v1.31.0` -> `v1.33.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/google.golang.org%2fprotobuf/v1.31.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fprotobuf/v1.31.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
#### [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)
The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.
---
### Golang protojson.Unmarshal function infinite loop when unmarshaling
certain forms of invalid JSON
[CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) /
[GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37)
/ [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)
More information
#### Details
The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.
#### Severity
Moderate
#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)
-
[https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023](https://togithub.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023)
-
[https://github.com/protocolbuffers/protobuf-go](https://togithub.com/protocolbuffers/protobuf-go)
-
[https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0)
- [https://go.dev/cl/569356](https://go.dev/cl/569356)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU)
-
[https://pkg.go.dev/vuln/GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-8r3f-844c-mc37) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
---
### Infinite loop in JSON unmarshaling in google.golang.org/protobuf
[CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) /
[GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37)
/ [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)
More information
#### Details
The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.
#### Severity
Unknown
#### References
- [https://go.dev/cl/569356](https://go.dev/cl/569356)
This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2024-2611) and the [Go
Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY
4.0](https://togithub.com/golang/vulndb#license)).
---
### Release Notes
protocolbuffers/protobuf-go
(google.golang.org/protobuf)
###
[`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)
[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)
###
[`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0)
[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0)
**Full Changelog**:
https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0
This release contains commit
https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2,
which fixes a denial of service vulnerability by preventing a stack
overflow through a default maximum recursion limit. See
[https://github.com/golang/protobuf/issues/1583](https://togithub.com/golang/protobuf/issues/1583)
and
[https://github.com/golang/protobuf/issues/1584](https://togithub.com/golang/protobuf/issues/1584)
for details.
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Enabled.
â™» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/DelineaXPM/dsv-k8s).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
go.mod | 2 +-
go.sum | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/go.mod b/go.mod
index 3ee0f09..0871ee6 100644
--- a/go.mod
+++ b/go.mod
@@ -63,7 +63,7 @@ require (
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.3.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
- google.golang.org/protobuf v1.31.0 // indirect
+ google.golang.org/protobuf v1.33.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/go.sum b/go.sum
index ddb4559..5632b98 100644
--- a/go.sum
+++ b/go.sum
@@ -268,8 +268,8 @@ google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6
google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=