Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

build(deps): update module github.com/go-resty/resty/v2 to v2.11.0 [security] #479

Merged
merged 1 commit into from
Jan 9, 2024
Merged

build(deps): update module github.com/go-resty/resty/v2 to v2.11.0 [security] #479

merged 1 commit into from
Jan 9, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 8, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-resty/resty/v2 v2.10.0 -> v2.11.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-45286

A race condition in go-resty can result in HTTP request body disclosure across requests.

This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request.

The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

Release Notes

go-resty/resty (github.com/go-resty/resty/v2)

v2.11.0: Release

Compare Source

Release Notes

Bug Fixes

New Contributors

Full Changelog: go-resty/resty@v2.10.0...v2.11.0

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jan 8, 2024
@renovate renovate bot assigned trim21 Jan 8, 2024
@trim21 trim21 merged commit 0707d38 into master Jan 9, 2024
4 checks passed
@trim21 trim21 deleted the renovate/go-github.heygears.com/go-resty/resty/v2-vulnerability branch January 9, 2024 04:31
RanKKI pushed a commit to RanKKI/BangumiServer that referenced this pull request Jan 11, 2024
@renovate @RanKKI
build(deps): update module github.com/go-resty/resty/v2 to v2.11.0 [s…
c97cb4c 
…ecurity] (bangumi#479)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees

@trim21 trim21

Labels
dependencies Pull requests that update a dependency file size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@trim21