Skip to content

Commit

Permalink
security(deps): update 🛡️ google.golang.org/protobuf to v1.33.0 [secu…
Browse files Browse the repository at this point in the history
…rity] (#116)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go)
| `v1.31.0` -> `v1.33.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/google.golang.org%2fprotobuf/v1.31.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fprotobuf/v1.31.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

#### [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)

The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

---

### Golang protojson.Unmarshal function infinite loop when unmarshaling
certain forms of invalid JSON
[CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) /
[GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37)
/ [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)

<details>
<summary>More information</summary>

#### Details
The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

#### Severity
Moderate

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)
-
[https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023](https://togithub.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023)
-
[https://github.com/protocolbuffers/protobuf-go](https://togithub.com/protocolbuffers/protobuf-go)
-
[https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0)
- [https://go.dev/cl/569356](https://go.dev/cl/569356)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU)
-
[https://pkg.go.dev/vuln/GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-8r3f-844c-mc37) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Infinite loop in JSON unmarshaling in google.golang.org/protobuf
[CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) /
[GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37)
/ [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)

<details>
<summary>More information</summary>

#### Details
The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

#### Severity
Unknown

#### References
- [https://go.dev/cl/569356](https://go.dev/cl/569356)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2024-2611) and the [Go
Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY
4.0](https://togithub.com/golang/vulndb#license)).
</details>

---

### Release Notes

<details>
<summary>protocolbuffers/protobuf-go
(google.golang.org/protobuf)</summary>

###
[`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)

[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)

###
[`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0)

[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0)

**Full Changelog**:
protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit
protocolbuffers/protobuf-go@bfcd647,
which fixes a denial of service vulnerability by preventing a stack
overflow through a default maximum recursion limit. See
[https://github.com/golang/protobuf/issues/1583](https://togithub.com/golang/protobuf/issues/1583)
and
[https://github.com/golang/protobuf/issues/1584](https://togithub.com/golang/protobuf/issues/1584)
for details.

</details>

---

### Configuration

đź“… **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

â™» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/DelineaXPM/dsv-k8s).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
renovate[bot] authored Mar 26, 2024
1 parent 695a295 commit 56aca69
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ require (
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.3.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.31.0 // indirect
google.golang.org/protobuf v1.33.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -268,8 +268,8 @@ google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6
google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
Expand Down

0 comments on commit 56aca69

Please sign in to comment.