mirror of https://github.com/docker/cli.git
a4a79d75c0
full diffs: - https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.33.0 - https://github.com/golang/protobuf/compare/v1.5.3...v1.5.4 From the Go security announcement list; > Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in > the google.golang.org/protobuf/encoding/protojson package which could cause > the Unmarshal function to enter an infinite loop when handling some invalid > inputs. > > This condition could only occur when unmarshaling into a message which contains > a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown > option is set. Unmarshal now correctly returns an error when handling these > inputs. > > This is CVE-2024-24786. In a follow-up post; > A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown > option is set (as well as when unmarshaling into any message which contains a > google.protobuf.Any). There is no UnmarshalUnknown option. > > In addition, version 1.33.0 of google.golang.org/protobuf inadvertently > introduced an incompatibility with the older github.com/golang/protobuf > module. (https://github.com/golang/protobuf/issues/1596) Users of the older > module should update to github.com/golang/protobuf@v1.5.4. govulncheck results in our code shows that this does not affect the CLI: govulncheck ./... Scanning your code and 448 packages across 72 dependent modules for known vulnerabilities... === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. This scan also found 1 vulnerability in packages you import and 0 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> |
||
|---|---|---|
| .. | ||
| api_export.go | ||
| checkinit.go | ||
| codec_extension.go | ||
| codec_field.go | ||
| codec_gen.go | ||
| codec_map.go | ||
| codec_map_go111.go | ||
| codec_map_go112.go | ||
| codec_message.go | ||
| codec_messageset.go | ||
| codec_reflect.go | ||
| codec_tables.go | ||
| codec_unsafe.go | ||
| convert.go | ||
| convert_list.go | ||
| convert_map.go | ||
| decode.go | ||
| encode.go | ||
| enum.go | ||
| extension.go | ||
| legacy_enum.go | ||
| legacy_export.go | ||
| legacy_extension.go | ||
| legacy_file.go | ||
| legacy_message.go | ||
| merge.go | ||
| merge_gen.go | ||
| message.go | ||
| message_reflect.go | ||
| message_reflect_field.go | ||
| message_reflect_gen.go | ||
| pointer_reflect.go | ||
| pointer_unsafe.go | ||
| validate.go | ||
| weak.go | ||