Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update module github.com/cloudevents/sdk-go/v2 to v2.15.2 [security] #237

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/cloudevents/sdk-go/v2 to v2.15.2 [security] #237

wants to merge 1 commit into from

Conversation

renovate-bot
Copy link
Contributor

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/cloudevents/sdk-go/v2 v2.14.0 -> v2.15.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-28110

Impact

What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.

The relevant code is here (also inline, emphasis added):

if p.Client == nil {
  p.Client = **http.DefaultClient**
}

if p.roundTripper != nil {
  p.Client.**Transport = p.roundTripper**
}

When the transport is populated with an authenticated transport such as:

... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!

Found and patched by: @​tcnghia and @​mattmoor

Patches

v.2.15.2

Release Notes

cloudevents/sdk-go (github.com/cloudevents/sdk-go/v2)

v2.15.2

Compare Source

What's Changed
  • Patch for a potential security issue. See CVE-2024-28110.
  • Note: this could be a breaking change for people if they purposely change golang's HTTP DefaultClient, or change the CloudEvents Client returned from NewClient, and expect those changes to be visible on other HTTP flows using those Clients. E.g. auth

Full Changelog: cloudevents/sdk-go@v2.15.1...v2.15.2

v2.15.1

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.15.0...v2.15.1

v2.15.0

Compare Source

Highlights 💫

This release includes various updates and improvements such as README enhancements, dependency bumps, bug fixes, race condition resolutions, and protocol-related adjustments. Notable changes involve upgrading dependencies like grpc and go.opentelemetry, addressing race conditions, fixing Kafka test issues, and introducing new features like binary content mode for NATS and JetStream protocols. Additionally, there are governance documentation updates, link corrections, and improvements in error handling and documentation across different modules.

Breaking 🚨

The Kafka Sarama protocol now uses the "github.com/IBM/sarama" Go module import path.

Commits 📄

896e1d0 Update README.md
75ec0f2 Bump actions/setup-go from 4 to 5
41e80f7 fixed couple issues
9ccd339 bugfix_value_type_of_dataschema
c8cbca9 adds unique package name for import
f1bca09 relative .pb.go generation, go_package set to package name
c20eef2 bump the pahao mqtt to v0.12
ed7be6b Add WithCustomAttributes for PubSub
be31358 returning the error when doing a nack in the message
ecead5c Make a few comments a bit clearer
57be3cd Try to make sure the Receiver starts before we send events
f5c7061 Try to fix race again - don't reuse clients for sender/receiver
8bea925 Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/http
fa6be00 Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /protocol/pubsub/v2
7e05ecd Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/pubsub
13825ba Sleep less to avoid timeouts
3162d69 Bump github.com/nats-io/nats-server/v2 in /protocol/stan/v2
ec8b0f9 deps: update nats dependencies
dae9f6c Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
1d6360b Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
06658a2 Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
7c1a3b1 fix race
6f5984b Move to go 1.18 Had to run gofmt and fix some weird typos due to tabs in the comments
0a006bb Fix race condition in kafka tests
510b002 issue 814 - Add binary content mode for NATS and JetStream protocols
ac3d30c add link to our security mailing list
9405398 Bump golang.org/x/net in /observability/opencensus/v2
3cbfae0 Bump golang.org/x/net from 0.9.0 to 0.17.0 in /protocol/pubsub/v2
65eb52e Bump golang.org/x/net from 0.12.0 to 0.17.0 in /protocol/kafka_sarama/v2
d25d6e4 Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/pubsub
e4653a8 Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/conformance
6ed9f79 Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/http
6a3393c Bump golang.org/x/net from 0.7.0 to 0.17.0 in /test/benchmark
806ef35 Bump golang.org/x/net from 0.12.0 to 0.17.0 in /samples/kafka
de13f1b Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/integration
3eefeb1 Governance docs per CE PR 1226
1bcaa28 Update links to cloudevents spec
6aa2742 context.Done() may never reach if waiting on r.incoming <- msgErr
4bcddda move it to write message
d06aea7 clean the the previous properties
0cc4fba Bump actions/checkout from 3 to 4
f1c0d0a change denpendency sarama from Shopify to IBM
f84be73 Updated based on feedback
310da90 Support ACK when receiving malformed events
808bf38 provide the qos and retain configuration for mqtt protocol
e085f1a correct the doc links
766b88e remove the usage of deprecated io/ioutil package
e15d03d add assertion helper for extension keys (#​920)
c1482af append mqtt to the doc of protocol binding (#​919)
ff22db5 Bump andstor/file-existence-action from 1 to 2 (#​917)
bf156f1 call finish on unused messages; tidy retry logic
fdcb2d2 mqtt protocol binding (#​910)
f681ac6 Bump grpc dependencies and workflow versions (#​914)
c684ae9 vote to add embano1 as a maintainer
50b18a0 Bump golang.org/x/crypto in /samples/http (#​902)
5232986 http: Fixes for Gin http receiver sample (#​905)
9970acc Added a Gin http receiver sample (#​842)
b7a65db add kafka topic/partition/offset to the extension of event (#​896)
bc9170f Short-circuit AND expressions (#​899)
eae656f Bump nokogiri from 1.14.2 to 1.14.3 in /docs (#​891)
ff0a142 fix: Fixing syntax errors and add some test feedback (#​892)
55e5dba Update RELEASING to be more explicit

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot force-pushed the renovate/go-github.com/cloudevents/sdk-go/v2-vulnerability branch from 344a1cc to 935a550 Compare April 29, 2024 21:03
@jasonneurohr-stake
Copy link

@janell-chen Any ETA on sorting this out?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@janell-chen janell-chen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@renovate-bot @jasonneurohr-stake @janell-chen