moby/vendor at 70e46f2c7c2df8d8cc483d9831a907b12efa201b - beenull/moby

History

Sebastiaan van Stijn 1ca89d7eae vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4 full diffs: - https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.33.0 - https://github.com/golang/protobuf/compare/v1.5.3...v1.5.4 From the Go security announcement list; > Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in > the google.golang.org/protobuf/encoding/protojson package which could cause > the Unmarshal function to enter an infinite loop when handling some invalid > inputs. > > This condition could only occur when unmarshaling into a message which contains > a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown > option is set. Unmarshal now correctly returns an error when handling these > inputs. > > This is CVE-2024-24786. In a follow-up post; > A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown > option is set (as well as when unmarshaling into any message which contains a > google.protobuf.Any). There is no UnmarshalUnknown option. > > In addition, version 1.33.0 of google.golang.org/protobuf inadvertently > introduced an incompatibility with the older github.com/golang/protobuf > module. (https://github.com/golang/protobuf/issues/1596) Users of the older > module should update to github.com/golang/protobuf@v1.5.4. govulncheck results in our code: govulncheck ./... Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities... === Symbol Results === Vulnerability #1: GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf More info: https://pkg.go.dev/vuln/GO-2024-2611 Module: google.golang.org/protobuf Found in: google.golang.org/protobuf@v1.31.0 Fixed in: google.golang.org/protobuf@v1.33.0 Example traces found: #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal Your code is affected by 1 vulnerability from 1 module. This scan found no other vulnerabilities in packages you import or modules you require. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>		2024-03-14 13:12:54 +01:00
..
cloud.google.com/go	vendor: google.golang.org/genproto/googleapis/rpc 49dd2c1f3d0b	2024-02-12 09:25:26 +01:00
code.cloudfoundry.org/clock	vendor swarmkit v2.0.0-20240125134710-dcda100a8261	2024-01-25 16:26:04 +01:00
dario.cat/mergo	vendor: containerd v1.7.12, and switch to dario.cat/mergo v1.0.0	2024-01-12 18:09:24 +01:00
github.com	vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4	2024-03-14 13:12:54 +01:00
go.etcd.io	vendor: go.etcd.io/bbolt v1.3.9	2024-02-27 18:24:01 +01:00
go.opencensus.io	vendor: cloud.google.com/go/logging v1.7.0	2023-07-19 18:05:59 +02:00
go.opentelemetry.io	vendor: github.com/moby/buildkit v0.13.0-rc2	2024-02-27 11:26:07 +01:00
go.uber.org	vendor: go.uber.org/zap v1.21.0	2022-11-23 18:16:41 +01:00
golang.org/x	go.mod: golang.org/x/sys v0.18.0	2024-03-06 07:37:37 +09:00
google.golang.org	vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4	2024-03-14 13:12:54 +01:00
gopkg.in/yaml.v2	Update vendoring	2023-05-16 17:11:09 +02:00
gotest.tools/v3	vendor: gotest.tools/v3 v3.5.1	2023-10-18 14:37:07 +02:00
k8s.io/klog/v2	vendor: k8s.io/klog/v2 v2.90.1	2023-07-19 18:06:01 +02:00
resenje.org/singleflight	vendor: resenje.org/singleflight v0.4.1	2023-12-12 16:07:13 +01:00
sigs.k8s.io/yaml	Update vendoring	2023-05-16 17:11:09 +02:00
tags.cncf.io/container-device-interface	Update container-device-interface to v0.6.2	2023-11-04 01:00:19 +01:00
modules.txt	vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4	2024-03-14 13:12:54 +01:00