mirror of https://github.com/docker/cli.git
a4a79d75c0
full diffs: - https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.33.0 - https://github.com/golang/protobuf/compare/v1.5.3...v1.5.4 From the Go security announcement list; > Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in > the google.golang.org/protobuf/encoding/protojson package which could cause > the Unmarshal function to enter an infinite loop when handling some invalid > inputs. > > This condition could only occur when unmarshaling into a message which contains > a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown > option is set. Unmarshal now correctly returns an error when handling these > inputs. > > This is CVE-2024-24786. In a follow-up post; > A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown > option is set (as well as when unmarshaling into any message which contains a > google.protobuf.Any). There is no UnmarshalUnknown option. > > In addition, version 1.33.0 of google.golang.org/protobuf inadvertently > introduced an incompatibility with the older github.com/golang/protobuf > module. (https://github.com/golang/protobuf/issues/1596) Users of the older > module should update to github.com/golang/protobuf@v1.5.4. govulncheck results in our code shows that this does not affect the CLI: govulncheck ./... Scanning your code and 448 packages across 72 dependent modules for known vulnerabilities... === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. This scan also found 1 vulnerability in packages you import and 0 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> |
||
---|---|---|
.. | ||
api_export.go | ||
checkinit.go | ||
codec_extension.go | ||
codec_field.go | ||
codec_gen.go | ||
codec_map.go | ||
codec_map_go111.go | ||
codec_map_go112.go | ||
codec_message.go | ||
codec_messageset.go | ||
codec_reflect.go | ||
codec_tables.go | ||
codec_unsafe.go | ||
convert.go | ||
convert_list.go | ||
convert_map.go | ||
decode.go | ||
encode.go | ||
enum.go | ||
extension.go | ||
legacy_enum.go | ||
legacy_export.go | ||
legacy_extension.go | ||
legacy_file.go | ||
legacy_message.go | ||
merge.go | ||
merge_gen.go | ||
message.go | ||
message_reflect.go | ||
message_reflect_field.go | ||
message_reflect_gen.go | ||
pointer_reflect.go | ||
pointer_unsafe.go | ||
validate.go | ||
weak.go |