Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

v1.4.2

This is the second patch release of the 1.4.z release series of runc.

Fixed

• A regression in runc v1.3.0 which can result in a stuck runc exec or
  runc run when the container process runs for a short time. (a SIGCHLD race in signal handler setup (regression since runc 1.3.0) opencontainers/runc#5208,
  Fix SIGCHLD race in signal handler setup opencontainers/runc#5210, [1.4] Fix SIGCHLD race in signal handler setup opencontainers/runc#5216)

• Mount sources that need to be open on the host are now closed earlier during
  container start, reducing the total amount of used file descriptors and
  helping to avoid hitting the open files limit when handling many such mounts.
  (libct: close the mount source fd ASAP! opencontainers/runc#5177, [1.4] libct: close the mount source fd ASAP! opencontainers/runc#5201)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Ayato Tokubi atokubi@redhat.com
• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai cyphar@cyphar.com
• Kir Kolyshkin kolyshkin@gmail.com
• Li Fubang lifubang@acmcoder.com
• Rodrigo Campos Catelin rodrigo@amutable.com

Signed-off-by: Kir Kolyshkin kolyshkin@gmail.com

v1.3.5

This is the fifth patch release of the 1.3.z release series of runc,
and primarily contains a few fixes for issues found in 1.3.4.

Fixed

• Recursive atime-related mount flags (rrelatime et al.) are now applied
  properly. ([1.3] libct/specconv: fix partial clear of atime mount flags opencontainers/runc#5115, libct/specconv: always clear entire MOUNT_ATTR__ATIME field when updating atime mode opencontainers/runc#5098)
• PR Preventing containers from being unable to be deleted opencontainers/runc#4757 caused a regression that resulted in spurious
  cannot start a container that has stopped errors when
  running runc create and has thus been reverted. ([1.3] Revert "Preventing containers from being unable to be deleted" opencontainers/runc#5158,
  Revert "Preventing containers from being unable to be deleted" opencontainers/runc#5153, "cannot start a container that has stopped" in F-43 opencontainers/runc#5151, Add creating status to ensure state.json exists when runc kill. opencontainers/runc#4645, Preventing containers from being unable to be deleted opencontainers/runc#4757)

Changed

• Updated builds to Go 1.25, libseccomp v2.6.0. ([1.3] misc backports + Go 1.24->1.25 opencontainers/runc#5111, Various version bumps (mostly CI) opencontainers/runc#5053)
• Minor signing keyring updates. ([1.3] keyring fixes opencontainers/runc#5146, keyring: remove asarai@suse.de key opencontainers/runc#5139, keyring: validate: allow maintainers to have no keys opencontainers/runc#5144, keyring: update AkihiroSuda's key opencontainers/runc#5148)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

(truncated — see source for full notes)

v1.43.0

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
  for W3C Trace Context Level 2 Random Trace ID Flag support. (trace: add Random Trace ID Flag open-telemetry/opentelemetry-go#8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (resource: add WithService detector option open-telemetry/opentelemetry-go#7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (sdk/resource: add WithContext variants for Default and Environment (#7808) open-telemetry/opentelemetry-go#8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (attribute: change INVALID Type to EMPTY and mark INVALID as deprecated open-telemetry/opentelemetry-go#8038)
• Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
  Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (Add support for the development per-series starttime feature open-telemetry/opentelemetry-go#8060)
• Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (sdk/metric: Support specifying cardinality limits per instrument kinds open-telemetry/opentelemetry-go#7855)

Changed

• Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated

(truncated)

v1.42.0

Added

• Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
  The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
  See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (Revert "Revert "Generate semconv/v1.40.0"" open-telemetry/opentelemetry-go#7985)
• Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (log: add error field to Record and make SDK to emit exception attributes open-telemetry/opentelemetry-go#7924)

Changed

• TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (TracerProvider ForceFlush() Error Fix open-telemetry/opentelemetry-go#7856)

Fixed

• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (support stdlib request.GetBody on metrics open-telemetry/opentelemetry-go#7931)

(truncated — see source for full notes)

What's Changed

Fixes GHSA-78h2-9frx-2jm8

We recommend migrating from v3 to v4, and we will stop support v3 in the near future.

Full Changelog: go-jose/go-jose@v3.0.4...v3.0.5

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

v4.1.3

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

• Remove Go 1.23 support by @mcpherrinm in Remove Go 1.23 support go-jose/go-jose#205
• Reject JWS with an unprotected critical b64 header by @mcpherrinm in Reject JWS with an unprotected critical b64 header go-jose/go-jose#210

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

• Update go-jose documentation by @mcpherrinm in Update go-jose documentation go-jose/go-jose#198
• Remove dependency on testify by @wardviaene in Remove dependency on testify go-jose/go-jose#197
• Improve error message for invalid private keys by @ProjectMutilation in Improve error message for invalid private keys go-jose/go-jose#195
• JWK unsupported error when unmarshalling by @fprojetto in JWK unsupported error when unmarshalling go-jose/go-jose#191
• Add JSONWebKey type to makeJWERecipient by @alvarolivie in Add JSONWebKey type to makeJWERecipient go-jose/go-jose#200
• testutils/assert: remove True, Nil, NotNil by @jsha in testutils/assert: remove True, Nil, NotNil go-jose/go-jose#202

New Contributors

• @wardviaene made their first contribution in Remove dependency on testify go-jose/go-jose#197
• @fprojetto made their first contribution in JWK unsupported error when unmarshalling go-jose/go-jose#191
• @alvarolivie made their first contribution in Add JSONWebKey type to makeJWERecipient go-jose/go-jose#200

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

What's Changed

• Drop go-cmp dependency by @mcpherrinm in Drop go-cmp dependency go-jose/go-jose#186
• jws: improve performance and allocations for ParseSignedCompact by @drakkan in jws: improve performance and allocations for ParseSignedCompact go-jose/go-jose#188
• Add missing quote to unknown curve message Missing single tick in error message go-jose/go-jose#170 by @sudhanvaghebbale in Add missing quote to unknown curve message #170 go-jose/go-jose#189
• Fix incorrect validation by @ProjectMutilation in Fix incorrect validation go-jose/go-jose#192
• Restore Go 1.23 compatibility by @anuraaga in Restore Go 1.23 compatibility go-jose/go-jose#193

New Contributors

• @drakkan made their first contribution in jws: improve performance and allocations for ParseSignedCompact go-jose/go-jose#188
• @sudhanvaghebbale made their first contribution in Add missing quote to unknown curve message #170 go-jose/go-jose#189
• @ProjectMutilation made their first contribution in Fix incorrect validation go-jose/go-jose#192
• @anuraaga made their first contribution in Restore Go 1.23 compatibility go-jose/go-jose#193

Full Changelog: go-jose/go-jose@v4.1.0...v4.1.1

v5.18.0

What's Changed

• plumbing: transport/http, Add support for followRedirects policy by @pjbgf in plumbing: transport/http, Add support for followRedirects policy go-git/go-git#2004

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

v5.17.2

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) go-git/go-git#1941
• dotgit: skip writing pack files that already exist on disk by @pjbgf in dotgit: skip writing pack files that already exist on disk go-git/go-git#1944

⚠️ This release fixes a bug (go-git/go-git#1942) that blocked some users from upgrading to v5.17.1. Thanks @pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

v5.17.1

What's Changed

• build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) go-git/go-git#1930
• [v5] plumbing: format/index, Improve v4 entry name validation by @pjbgf in [v5] plumbing: format/index, Improve v4 entry name validation go-git/go-git#1935
• [v5] plumbing: format/idxfile, Fix version and fanout checks by @pjbgf in [v5] plumbing: format/idxfile, Fix version and fanout checks go-git/go-git#1937

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) go-git/go-git#1839
• git: worktree, optimize infiles function for very large repos by @k-anshul in git: worktree, optimize infiles function for very large repos go-git/go-git#1853
• git: Add strict checks for supported extensions by @pjbgf in [v5] git: Add strict checks for supported extensions go-git/go-git#1861
• backport, git: Improve Status() speed with new index.ModTime check by @cedric-appdirect in backport, git: Improve Status() speed with new index.ModTime check go-git/go-git#1862
• storage: filesystem, Avoid overwriting loose obj files by @pjbgf in storage: filesystem, Avoid overwriting loose obj files go-git/go-git#1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

v5.16.5

What's Changed

• build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) go-git/go-git#1744
• build: Bump Go test versions to 1.23-1.25 (v5) by @pjbgf in build: Bump Go test versions to 1.23-1.25 (v5) go-git/go-git#1746
• [v5] git: worktree, Don't delete local untracked files when resetting worktree by @Ch00k in [v5] git: worktree, Don't delete local untracked files when resetting worktree go-git/go-git#1800
• Expand packfile checks by @pjbgf in Expand packfile checks go-git/go-git#1836

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

v5.16.4

What's Changed

• backport plumbing: format/idxfile, prevent panic by @swills in backport plumbing: format/idxfile, prevent panic go-git/go-git#1732
• [backport] build: test, Fix build on Windows. by @pjbgf in [backport] build: test, Fix build on Windows. go-git/go-git#1734
• build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) go-git/go-git#1742
• build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) go-git/go-git#1741
• build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) go-git/go-git#1743

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

v5.16.3

What's Changed

• internal: Expand regex to fix build [5.x] by @baloo in internal: Expand regex to fix build [5.x] go-git/go-git#1644
• build: raise timeouts for windows CI tests and disable CIFuzz [5.x] by @baloo in build: raise timeouts for windows CI tests and disable CIFuzz [5.x] go-git/go-git#1646
• plumbing: support commits extra headers, support jujutsu signed commit [5.x] by @baloo in plumbing: support commits extra headers, support jujutsu signed commit [5.x] go-git/go-git#1633

Full Changelog: go-git/go-git@v5.16.2...v5.16.3

v5.16.2

What's Changed

(truncated — see source for full notes)

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md

• d1c650a extra: initialize receiver in MultiScalarMult

v0.1.16

Improvements

• Adds "is nil" and "is not nil" selector. [GH-129]

Bug Fixes

• Fixed a bug where using "is empty" or "is not empty" with a non-slice or non-map value would panic. [GH-129]

Full Changelog: hashicorp/go-bexpr@v0.1.15...v0.1.16

v0.1.15

What's Changed

• test: in and contains are dangerous by @schmichael in test: in and contains are dangerous hashicorp/go-bexpr#84
• IND-2304 test-and-build.yml updated with unit test coverage, linting and .go-version added by @KaushikiAnand in IND-2304 test-and-build.yml updated with unit test coverage, linting and .go-version added hashicorp/go-bexpr#89
• Added template for new PR creation by @sonamtenzin2 in Added template for new PR creation hashicorp/go-bexpr#99
• Add changelog file by @mohanmanikanta2299 in Add changelog file hashicorp/go-bexpr#103
• Add default for MaxExpressions by @mismithhisler in Add default for MaxExpressions hashicorp/go-bexpr#112
• Fix REAMDE example by @Warfields in Fix REAMDE example hashicorp/go-bexpr#76

New Contributors

• @mukeshjc made their first contribution in Add CODEOWNERS file in CODEOWNERS hashicorp/go-bexpr#80
• @KaushikiAnand made their first contribution in IND-2304 test-and-build.yml updated with unit test coverage, linting and .go-version added hashicorp/go-bexpr#89
• @sonamtenzin2 made their first contribution in Added template for new PR creation hashicorp/go-bexpr#99
• @mohanmanikanta2299 made their first contribution in Add changelog file hashicorp/go-bexpr#103
• @compliance-pr-automation-bot[bot] made their first contribution in [Compliance] - PR Template Changes Required hashicorp/go-bexpr#105
• @mismithhisler made their first contribution in Add default for MaxExpressions hashicorp/go-bexpr#112
• @Warfields made their first contribution in Fix REAMDE example hashicorp/go-bexpr#76

Full Changelog: hashicorp/go-bexpr@v0.1.14...v0.1.15

v0.1.14

What's Changed

• Set minimum version to go1.18 by @shore in Set minimum version to go1.18 hashicorp/go-bexpr#53
• Improved Go Docs by @peteski22 in Updated godocs hashicorp/go-bexpr#62

New Contributors

• @shore made their first contribution in Set minimum version to go1.18 hashicorp/go-bexpr#53
• @peteski22 made their first contribution in Updated godocs hashicorp/go-bexpr#62

Full Changelog: hashicorp/go-bexpr@v0.1.13...v0.1.14

v0.1.13

What's Changed

• add any and all expression support by @remilapeyre in Add any and all expression support. hashicorp/go-bexpr#49

Full Changelog: hashicorp/go-bexpr@v0.1.12...v0.1.13