Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (release-0.27) #4430

Merged
merged 1 commit into from
Apr 25, 2024
Merged

chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (release-0.27) #4430

merged 1 commit into from
Apr 25, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 14, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
google.golang.org/protobuf v1.31.0 -> v1.33.0 age adoption passing confidence

Infinite loop in JSON unmarshaling in google.golang.org/protobuf

CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

Moderate

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf)

v1.33.0

Compare Source

v1.32.0

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See https://github.com/golang/protobuf/issues/1583 and https://github.com/golang/protobuf/issues/1584 for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner April 14, 2024 09:28
@renovate renovate bot added the security label Apr 14, 2024
@renovate renovate bot requested review from chenrui333 and removed request for a team April 14, 2024 09:28
@renovate renovate bot enabled auto-merge (squash) April 14, 2024 09:28
@github-actions github-actions bot added the dependencies PRs that update a dependency file label Apr 14, 2024
@renovate renovate bot changed the title chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (release-0.27) chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (release-0.27) - autoclosed Apr 18, 2024
@renovate renovate bot closed this Apr 18, 2024
auto-merge was automatically disabled April 18, 2024 17:10

Pull request was closed

@renovate renovate bot deleted the renovate/release-0.27-go-google.golang.org/protobuf-vulnerability branch April 18, 2024 17:10
@renovate renovate bot changed the title chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (release-0.27) - autoclosed chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (release-0.27) Apr 21, 2024
@renovate renovate bot reopened this Apr 21, 2024
@renovate renovate bot restored the renovate/release-0.27-go-google.golang.org/protobuf-vulnerability branch April 21, 2024 09:14
@renovate renovate bot enabled auto-merge (squash) April 21, 2024 09:15
@renovate renovate bot force-pushed the renovate/release-0.27-go-google.golang.org/protobuf-vulnerability branch 2 times, most recently from 0f92b3b to 5a9535f Compare April 24, 2024 22:45
@renovate renovate bot force-pushed the renovate/release-0.27-go-google.golang.org/protobuf-vulnerability branch from 5a9535f to 5cc3105 Compare April 25, 2024 01:00
@renovate renovate bot merged commit 3155f3d into release-0.27 Apr 25, 2024
23 of 24 checks passed
@renovate renovate bot deleted the renovate/release-0.27-go-google.golang.org/protobuf-vulnerability branch April 25, 2024 01:18
@BrewTestBot BrewTestBot mentioned this pull request Apr 25, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

@chenrui333 chenrui333 Awaiting requested review from chenrui333 chenrui333 is a code owner automatically assigned from runatlantis/maintainers

Assignees
No one assigned
Labels
dependencies PRs that update a dependency file security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants