unboundsoftware/default-request-adder
6
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 28 Activity

[Security] Bump github.com/gogo/protobuf from 1.2.1 to 1.3.2 #10

Merged
argoyle merged 1 commits from dependabot-go_modules-github.com-gogo-protobuf-1.3.2 into master 2023-05-08 18:42:49 +00:00
Conversation 0 Commits 1 Files Changed 2
+54 -20
argoyle commented 2023-05-08 18:36:19 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps github.com/gogo/protobuf from 1.2.1 to 1.3.2. This update includes a security fix.

Vulnerabilities fixed

Improper Input Validation in GoGo Protobuf An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

Patched versions: 1.3.2 Affected versions: < 1.3.2

Release notes

Sourced from github.com/gogo/protobuf's releases.

Release v.1.3.2

Tested versions:

go 1.15.6 protoc 3.14.0

Bug fixes:

skippy peanut butter

Release v1.3.1

Tested versions:

go 1.12.10 protoc 3.9.1

Bug fixes:

Upstream commits:

  • 4c88cc3f1a34ffade77b79abc53335d1e511f25b - all: fix reflect.Value.Interface races.
  • 6c65a5562fc06764971b7c5d05c76c75e84bdbf7 - jsonpb: fix marshaling of Duration
  • b285ee9cfc6c881bb20c0d8dc73370ea9b9ec90f - Log parsing errors using log pkg

Misc:

  • add github workflow config
  • protoc update - Updated to protoc 3.9.1

Release v1.3.0

Tested versions:

go 1.12.9 protoc 3.7.1

Improvements:

  • plugin/stringer - Handle repeated and/or nullable types a bit better now.
  • plugin/size - Remove the loop in sovXXX by using bit twiddling.
  • plugin/marshalto - Implemented a reverse marshal strategy which allows for faster marshalling. This now avoids a recursive (and repeated) call to Size().
  • plugin/compare - Added support for for oneof types.

Bug fixes:

... (truncated)

Commits
  • b03c65e skippy peanut butter
  • 550e889 update to go version 1.15.6 and protoc 3.14.0 (#717)
  • deb6fe8 Update Readme.md
  • 5628607 github/workflow - update protoc version to 3.9.1 (#637)
  • 09ab773 Issue619safer (#627)
  • 8142193 GoString plugin: generate values instead of pointers when a field is repeated...
  • 627c0c9 umarshal - refactor skip from recursive calls to a loop. (#636)
  • 69adf3e Ghworkflow (#632)
  • 8a5ed79 Merge pull request #622 from jmarais/master
  • 33d4760 merged in golang/protobuf commit 4c88cc3f1a34ffade77b79abc53335d1e511f25b - a...
  • Additional commits viewable in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [github.com/gogo/protobuf](https://github.com/gogo/protobuf) from 1.2.1 to 1.3.2. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Improper Input Validation in GoGo Protobuf</strong> An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the &quot;skippy peanut butter&quot; issue.</p> <p>Patched versions: 1.3.2 Affected versions: &lt; 1.3.2</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/gogo/protobuf/releases">github.com/gogo/protobuf's releases</a>.</em></p> <blockquote> <h2>Release v.1.3.2</h2> <h2>Tested versions:</h2> <p>go 1.15.6 protoc 3.14.0</p> <h2>Bug fixes:</h2> <p>skippy peanut butter</p> <h2>Release v1.3.1</h2> <h4>Tested versions:</h4> <p>go 1.12.10 protoc 3.9.1</p> <h2>Bug fixes:</h2> <ul> <li>proto/buffer: fix proto.Buffer marshaling. <ul> <li>Thanks: <a href="https://github.com/apelisse">https://github.com/apelisse</a></li> </ul> </li> <li>plugin/gostring: generate values instead of pointers when a field is repeated and non-nullable. <ul> <li>Thanks <a href="https://github.com/godfried">https://github.com/godfried</a></li> </ul> </li> <li>protoc-gen-gogo/generator: Generate json and custom tags for oneof <ul> <li>Thanks: <a href="https://github.com/krhubert">https://github.com/krhubert</a></li> </ul> </li> <li>plugin/marshalto: Use ProtoSize() in MarshalTo when enabled for oneof fields. <ul> <li>Thanks: <a href="https://github.com/gaffneyc">https://github.com/gaffneyc</a></li> </ul> </li> </ul> <h2>Upstream commits:</h2> <ul> <li>4c88cc3f1a34ffade77b79abc53335d1e511f25b - all: fix reflect.Value.Interface races.</li> <li>6c65a5562fc06764971b7c5d05c76c75e84bdbf7 - jsonpb: fix marshaling of Duration</li> <li>b285ee9cfc6c881bb20c0d8dc73370ea9b9ec90f - Log parsing errors using log pkg</li> </ul> <h2>Misc:</h2> <ul> <li>add github workflow config</li> <li>protoc update - Updated to protoc 3.9.1</li> </ul> <h2>Release v1.3.0</h2> <h4>Tested versions:</h4> <p>go 1.12.9 protoc 3.7.1</p> <h2>Improvements:</h2> <ul> <li>plugin/stringer - Handle repeated and/or nullable types a bit better now.</li> <li>plugin/size - Remove the loop in sovXXX by using bit twiddling. <ul> <li>Thanks: <a href="https://github.com/apelisse">https://github.com/apelisse</a></li> </ul> </li> <li>plugin/marshalto - Implemented a reverse marshal strategy which allows for faster marshalling. This now avoids a recursive (and repeated) call to Size(). <ul> <li>Thanks: <a href="https://github.com/apelisse">https://github.com/apelisse</a></li> </ul> </li> <li>plugin/compare - Added support for for oneof types.</li> </ul> <h2>Bug fixes:</h2> <ul> <li>protoc-gen-gogo/generator - Fix assignment to entry in nil map. <ul> <li>Thanks: <a href="https://github.com/tgulacsi">https://github.com/tgulacsi</a></li> </ul> </li> <li>protoc-gen-gogo/generator - Allows plugins to call RecordTypeUse without panicking. <ul> <li>Thanks: <a href="https://github.com/fedenusy">https://github.com/fedenusy</a></li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc"><code>b03c65e</code></a> skippy peanut butter</li> <li><a href="https://github.com/gogo/protobuf/commit/550e88954e617545f49920b752c154d72abf1d8d"><code>550e889</code></a> update to go version 1.15.6 and protoc 3.14.0 (<a href="https://github.com/gogo/protobuf/issues/717">#717</a>)</li> <li><a href="https://github.com/gogo/protobuf/commit/deb6fe8ca7c6d06584bfbd40ca407bf69d9fd2aa"><code>deb6fe8</code></a> Update Readme.md</li> <li><a href="https://github.com/gogo/protobuf/commit/5628607bb4c51c3157aacc3a50f0ab707582b805"><code>5628607</code></a> github/workflow - update protoc version to 3.9.1 (<a href="https://github.com/gogo/protobuf/issues/637">#637</a>)</li> <li><a href="https://github.com/gogo/protobuf/commit/09ab7735f7757c093f5b0a2285bff3998d684a61"><code>09ab773</code></a> Issue619safer (<a href="https://github.com/gogo/protobuf/issues/627">#627</a>)</li> <li><a href="https://github.com/gogo/protobuf/commit/8142193b881b41b9b93dae1124dd99e619b8941f"><code>8142193</code></a> GoString plugin: generate values instead of pointers when a field is repeated...</li> <li><a href="https://github.com/gogo/protobuf/commit/627c0c9b4094c6cd02b3cb49e22420455e97e64c"><code>627c0c9</code></a> umarshal - refactor skip from recursive calls to a loop. (<a href="https://github.com/gogo/protobuf/issues/636">#636</a>)</li> <li><a href="https://github.com/gogo/protobuf/commit/69adf3ecd52d1754cc42d7464c449e50d4b79521"><code>69adf3e</code></a> Ghworkflow (<a href="https://github.com/gogo/protobuf/issues/632">#632</a>)</li> <li><a href="https://github.com/gogo/protobuf/commit/8a5ed79f688836cf007ca23aefe0299791e7bea5"><code>8a5ed79</code></a> Merge pull request <a href="https://github.com/gogo/protobuf/issues/622">#622</a> from jmarais/master</li> <li><a href="https://github.com/gogo/protobuf/commit/33d47608f2cc12f4c1e590655e6175596f05e6bf"><code>33d4760</code></a> merged in golang/protobuf commit 4c88cc3f1a34ffade77b79abc53335d1e511f25b - a...</li> <li>Additional commits viewable in <a href="https://github.com/gogo/protobuf/compare/v1.2.1...v1.3.2">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle (Migrated from gitlab.com) scheduled this pull request to auto merge when all checks succeed 2023-05-08 18:39:25 +00:00
argoyle (Migrated from gitlab.com) merged commit into master 2023-05-08 18:42:49 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
go
security
Pull requests that address a security vulnerability
 severity:moderate
No Label dependencies go security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) peter releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unboundsoftware/default-request-adder#10
Delete Branch "dependabot-go_modules-github.com-gogo-protobuf-1.3.2"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?