Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,744 Commits 11 Branches 241 Tags 240 MiB
Commit Graph

5 Commits

Author SHA1 Message Date
Sebastiaan van Stijn a4a79d75c0
vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4 
full diffs:

- https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.33.0
- https://github.com/golang/protobuf/compare/v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (https://github.com/golang/protobuf/issues/1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

govulncheck results in our code shows that this does not affect the CLI:

    govulncheck ./...
    Scanning your code and 448 packages across 72 dependent modules for known vulnerabilities...

    === Symbol Results ===

    No vulnerabilities found.

    Your code is affected by 0 vulnerabilities.
    This scan also found 1 vulnerability in packages you import and 0
    vulnerabilities in modules you require, but your code doesn't appear to call
    these vulnerabilities.
    Use '-show verbose' for more details.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-03-16 16:41:42 +01:00
Sebastiaan van Stijn c1d0657029
vendor: github.com/golang/protobuf v1.5.3 
- jsonpb: accept 'null' as a valid representation of NullValue in unmarshal
  The canonical JSON representation for NullValue is JSON "null".

full diff: https://github.com/golang/protobuf/compare/v1.5.2...v1.5.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-07-20 00:20:03 +02:00
Sebastiaan van Stijn 86038fdb68
vendor: github.com/containerd/containerd v1.6.10 
full diff: https://github.com/containerd/containerd/compare/v1.6.8...v1.6.10

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2022-11-16 16:32:17 +01:00
Sebastiaan van Stijn 711334e9a4
vendor: github.com/moby/buildkit 9f254e18360a24c2ae47b26f772c3c89533bcbb7 (master / v0.9.0-dev) 
full diff: 8142d66b5e...9f254e1836

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-06-22 12:12:03 +02:00
Sebastiaan van Stijn 9a0a071d55 vendor: buildkit v0.8.0-rc2, docker 
diffs:

- full diff: af34b94a78...6c0a036dce
- full diff: 4d1f260e84...v0.8.0-rc2

New dependencies:

- go.opencensus.io v0.22.3
- github.com/containerd/typeurl v1.0.1
- github.com/golang/groupcache 869f871628b6baa9cfbc11732cdf6546b17c1298

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-12-02 21:01:12 +00:00