Skip to content

Commit

Permalink
security(deps): update 🛡️ google.golang.org/protobuf to v1.33.0 [secu…
Browse files Browse the repository at this point in the history 
…rity] (#79)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go)
| `v1.30.0` -> `v1.33.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/google.golang.org%2fprotobuf/v1.30.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fprotobuf/v1.30.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

#### [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)

The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

---

### Infinite loop in JSON unmarshaling in google.golang.org/protobuf
[CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) /
[GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37)
/ [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)

<details>
<summary>More information</summary>

#### Details
The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

#### Severity
Unknown

#### References
- [https://go.dev/cl/569356](https://go.dev/cl/569356)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2024-2611) and the [Go
Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY
4.0](https://togithub.com/golang/vulndb#license)).
</details>

---

### Golang protojson.Unmarshal function infinite loop when unmarshaling
certain forms of invalid JSON
[CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) /
[GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37)
/ [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)

<details>
<summary>More information</summary>

#### Details
The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

#### Severity
Moderate

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)
-
[https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023](https://togithub.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023)
-
[https://github.com/protocolbuffers/protobuf-go](https://togithub.com/protocolbuffers/protobuf-go)
-
[https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0)
- [https://go.dev/cl/569356](https://go.dev/cl/569356)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU)
-
[https://pkg.go.dev/vuln/GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-8r3f-844c-mc37) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>protocolbuffers/protobuf-go
(google.golang.org/protobuf)</summary>

###
[`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)

[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)

###
[`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0)

[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0)

**Full Changelog**:
protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit
protocolbuffers/protobuf-go@bfcd647,
which fixes a denial of service vulnerability by preventing a stack
overflow through a default maximum recursion limit. See
[golang/protobuf#1583
and
[golang/protobuf#1584
for details.

###
[`v1.31.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.31.0)

[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.30.0...v1.31.0)

##### Notable changes <a name="v1.31-notable-changes"></a>

**New Features**

-   [CL/489316](https://go.dev/cl/489316): types/dynamicpb: add NewTypes
- Add a function to construct a dynamic type registry from a
protoregistry.Files
- [CL/489615](https://go.dev/cl/489615): encoding: add MarshalAppend to
protojson and prototext

**Minor performance improvements**

- [CL/491596](https://go.dev/cl/491596): encoding/protodelim: If
UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of
creating a new one
- [CL/500695](https://go.dev/cl/500695): proto: store the size of tag to
avoid multiple calculations

**Bug fixes**

- [CL/497935](https://go.dev/cl/497935): internal/order: fix sorting of
synthetic oneofs to be deterministic
- [CL/505555](https://go.dev/cl/505555): encoding/protodelim: fix
handling of io.EOF

</details>

---

### Configuration

đź“… **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

â™» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/DelineaXPM/terraform-provider-dsv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
@renovate
renovate[bot] committed Mar 28, 2024
1 parent 33eaf23 commit 65ae74d
Show file tree
Hide file tree
Showing 64 changed files with 4,161 additions and 1,135 deletions.
2 changes: 1 addition & 1 deletion go.mod
View file
Expand Up @@ -28,7 +28,7 @@ require (
github.com/vmihailenco/msgpack/v4 v4.3.12 // indirect
github.com/vmihailenco/tagparser v0.1.2 // indirect
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
google.golang.org/protobuf v1.30.0 // indirect
google.golang.org/protobuf v1.33.0 // indirect
mvdan.cc/sh/v3 v3.6.0 // indirect
)

Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Expand Up @@ -1225,8 +1225,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
Expand Down
38 changes: 29 additions & 9 deletions vendor/google.golang.org/protobuf/encoding/protojson/decode.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion vendor/google.golang.org/protobuf/encoding/protojson/doc.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

53 changes: 44 additions & 9 deletions vendor/google.golang.org/protobuf/encoding/protojson/encode.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

59 changes: 20 additions & 39 deletions vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 5 additions & 3 deletions vendor/google.golang.org/protobuf/encoding/prototext/decode.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 65ae74d

Please sign in to comment.