security(deps): update 🛡️ google.golang.org/protobuf to v1.33.0 [secu… · DelineaXPM/terraform-provider-dsv@65ae74d

Commit

security(deps): update 🛡️ google.golang.org/protobuf to v1.33.0 [secu…

…rity] (#79)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go)
| `v1.30.0` -> `v1.33.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/google.golang.org%2fprotobuf/v1.30.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fprotobuf/v1.30.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

#### [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)

The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

---

### Infinite loop in JSON unmarshaling in google.golang.org/protobuf
[CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) /
[GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37)
/ [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)

<details>
<summary>More information</summary>

#### Details
The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

#### Severity
Unknown

#### References
- [https://go.dev/cl/569356](https://go.dev/cl/569356)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2024-2611) and the [Go
Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY
4.0](https://togithub.com/golang/vulndb#license)).
</details>

---

### Golang protojson.Unmarshal function infinite loop when unmarshaling
certain forms of invalid JSON
[CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) /
[GHSA-8r3f-844c-mc37](https://togithub.com/advisories/GHSA-8r3f-844c-mc37)
/ [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)

<details>
<summary>More information</summary>

#### Details
The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

#### Severity
Moderate

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)
-
[https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023](https://togithub.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023)
-
[https://github.com/protocolbuffers/protobuf-go](https://togithub.com/protocolbuffers/protobuf-go)
-
[https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0)
- [https://go.dev/cl/569356](https://go.dev/cl/569356)
-
[https://lists.fedoraproject.org/archives/list/[email protected]/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU](https://lists.fedoraproject.org/archives/list/[email protected]/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU)
-
[https://pkg.go.dev/vuln/GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-8r3f-844c-mc37) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>protocolbuffers/protobuf-go
(google.golang.org/protobuf)</summary>

###
[`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)

[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)

###
[`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0)

[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0)

**Full Changelog**:
protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit
protocolbuffers/protobuf-go@bfcd647,
which fixes a denial of service vulnerability by preventing a stack
overflow through a default maximum recursion limit. See
[https://github.com/golang/protobuf/issues/1583](https://togithub.com/golang/protobuf/issues/1583)
and
[https://github.com/golang/protobuf/issues/1584](https://togithub.com/golang/protobuf/issues/1584)
for details.

###
[`v1.31.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.31.0)

[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.30.0...v1.31.0)

##### Notable changes <a name="v1.31-notable-changes"></a>

**New Features**

-   [CL/489316](https://go.dev/cl/489316): types/dynamicpb: add NewTypes
- Add a function to construct a dynamic type registry from a
protoregistry.Files
- [CL/489615](https://go.dev/cl/489615): encoding: add MarshalAppend to
protojson and prototext

**Minor performance improvements**

- [CL/491596](https://go.dev/cl/491596): encoding/protodelim: If
UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of
creating a new one
- [CL/500695](https://go.dev/cl/500695): proto: store the size of tag to
avoid multiple calculations

**Bug fixes**

- [CL/497935](https://go.dev/cl/497935): internal/order: fix sorting of
synthetic oneofs to be deterministic
- [CL/505555](https://go.dev/cl/505555): encoding/protodelim: fix
handling of io.EOF

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/DelineaXPM/terraform-provider-dsv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Loading branch information

renovate[bot] authored Mar 28, 2024

1 parent 33eaf23 commit 65ae74d

go.mod

-Original file line number
+Diff line change
@@ Expand Up / @@ -28,7 +28,7 @@ require ( @@
     	github.com/vmihailenco/msgpack/v4 v4.3.12 // indirect
     	github.com/vmihailenco/tagparser v0.1.2 // indirect
     	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-    	google.golang.org/protobuf v1.30.0 // indirect
+    	google.golang.org/protobuf v1.33.0 // indirect
     	mvdan.cc/sh/v3 v3.6.0 // indirect
     )
@@ Expand Down @@

go.sum

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -1225,8 +1225,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
  
    google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=

    google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=

    google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=

    google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=

    google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=

    google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=

    google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=

    gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

    gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

    gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

vendor/google.golang.org/protobuf/encoding/protojson/decode.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

vendor/google.golang.org/protobuf/encoding/protojson/doc.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

vendor/google.golang.org/protobuf/encoding/protojson/encode.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

vendor/google.golang.org/protobuf/encoding/prototext/decode.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit `65ae74d`

Please sign in to comment.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Commit

There are no files selected for viewing

0 comments on commit `65ae74d`

Commit

There are no files selected for viewing

0 comments on commit 65ae74d

0 comments on commit `65ae74d`