Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[release-1.14] Bump google.golang.org/protobuf to v1.33.0 #2260

Merged
merged 1 commit into from
Mar 15, 2024
Merged

[release-1.14] Bump google.golang.org/protobuf to v1.33.0 #2260

merged 1 commit into from
Mar 15, 2024

Conversation

TomSweeneyRedHat
Copy link
Member

@TomSweeneyRedHat
[release-1.14] Bump google.golang.org/protobuf to v1.33.0
433f7b7 
As the title says.  Addresses CVE-2024-24786

https://issues.redhat.com/browse/RHEL-28226
https://issues.redhat.com/browse/RHEL-28235

[NO NEW TESTS NEEDED]

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
mtrmac
mtrmac reviewed Mar 15, 2024
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mechanism of the update LGTM. Thanks!

From a <5-minute check, it is possible that the codebase only ever invokes the marshal, not unmarshal, implementation of JSON . OTOH I can’t spend much time analyzing this right now; I’m not familiar with these subpackages; and updating is certainly the safer way to eliminate the vulnerability with fewer questions asked.

Feel free to merge after this passes tests — unless the benefits of looking deeper and possibly avoiding the update were significant.

@TomSweeneyRedHat
Copy link
Member Author

Thanks @mtrmac I've always leaned towards the better safe than sorry bit on these kinds of things. I'll push it through once happy.

@TomSweeneyRedHat TomSweeneyRedHat merged commit d0a0f1a into containers:release-1.14 Mar 15, 2024
22 checks passed
@TomSweeneyRedHat TomSweeneyRedHat deleted the dev/tsweeney/protobuf_1.33 branch March 15, 2024 23:50
@TomSweeneyRedHat
Copy link
Member Author

Addresses: https://issues.redhat.com/browse/RHEL-40852

@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Sep 11, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@mtrmac mtrmac mtrmac left review comments

Assignees
No one assigned
Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TomSweeneyRedHat @mtrmac