Commit Graph

4 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 5cbb4ca191
vendor: google.golang.org/protobuf v1.34.1
full diff: https://github.com/protocolbuffers/protobuf-go/compare/v1.33.0...v1.34.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 200225f530)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-14 13:31:11 +02:00
Sebastiaan van Stijn a4a79d75c0
vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4
full diffs:

- https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.33.0
- https://github.com/golang/protobuf/compare/v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (https://github.com/golang/protobuf/issues/1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

govulncheck results in our code shows that this does not affect the CLI:

    govulncheck ./...
    Scanning your code and 448 packages across 72 dependent modules for known vulnerabilities...

    === Symbol Results ===

    No vulnerabilities found.

    Your code is affected by 0 vulnerabilities.
    This scan also found 1 vulnerability in packages you import and 0
    vulnerabilities in modules you require, but your code doesn't appear to call
    these vulnerabilities.
    Use '-show verbose' for more details.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-03-16 16:41:42 +01:00
Sebastiaan van Stijn a51ce7ca9a
go.mod: github.com/google/certificate-transparency-go v1.1.4
Manually updating the indirect dependency to force go.etcd.io/etcd/server/v3
to v3.5.5 or up, which is now compatible with go.opentelemetry.io/otel v1.0.0.

With this, we can remove the replace rule for this module.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-21 21:13:58 +01:00
Sebastiaan van Stijn 2ef71e502c
vendor: genproto 8816d57aaa9a, google.golang.org/protobuf v1.26.0, github.com/golang/protobuf v1.5.2
- full diff: 3f1135a288...8816d57aaa
- google.golang.org/protobuf is the new name for this package, and to use both,
  we also need the old github.com/golang/protobuf updated to v1.4.0 or above.
- github.com/golang/protobuf v1.5.2: full diff: https://github.com/golang/protobuf/compare/v1.3.5...v1.5.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-12 17:02:16 +02:00