Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] #2258

Merged
merged 1 commit into from
Mar 14, 2024
Merged

chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] #2258

merged 1 commit into from
Mar 14, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 14, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
google.golang.org/protobuf v1.31.0 -> v1.33.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-24786

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf)

v1.33.0

Compare Source

v1.32.0

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See https://github.com/golang/protobuf/issues/1583 and https://github.com/golang/protobuf/issues/1584 for details.

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
chore(deps): update module google.golang.org/protobuf to v1.33.0 [sec…
6d6d5b7 
…urity]

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot added dependencies Pull requests that update a dependency file security labels Mar 14, 2024
mtrmac
mtrmac reviewed Mar 14, 2024
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but do not merge without coordinating in #2257.

@mtrmac mtrmac mentioned this pull request Mar 14, 2024
Merged
@TomSweeneyRedHat
Copy link
Member

@mtrmac Please do merge this and I'll rebase #2257 on top of it.

@mtrmac mtrmac merged commit dc50757 into main Mar 14, 2024
24 checks passed
@mtrmac
Copy link
Contributor

mtrmac commented Mar 14, 2024

@TomSweeneyRedHat done

@renovate renovate bot deleted the renovate/go-google.golang.org/protobuf-vulnerability branch March 14, 2024 19:41
@TomSweeneyRedHat
Copy link
Member

Addresses https://issues.redhat.com/browse/RHEL-40849 CVE-2024-24786

@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Sep 11, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@mtrmac mtrmac mtrmac approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file locked - please file new issue/PR security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TomSweeneyRedHat @mtrmac