This repository was archived by the owner on Nov 17, 2024. It is now read-only.
chore(deps): update dependency protobuf to v3.18.3 [security] #182
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from eb24582 to d32dff5 Compare renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from d32dff5 to f9a74aa Compare renovate bot changed the title 
|
|
renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from f9a74aa to 003680b Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 003680b to e52627c Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from e52627c to dd3b6d1 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from dd3b6d1 to 3b92593 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 3b92593 to b590020 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from b590020 to 069c4ee Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 069c4ee to 86b9d27 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 86b9d27 to bc27efa Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from bc27efa to ce1d755 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from ce1d755 to 898d8e6 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 898d8e6 to 52edf63 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 52edf63 to 98065d5 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from f3b052e to aaa4ba1 Compare renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from aaa4ba1 to 5c69d90 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 5c69d90 to 0ab735d Compare renovate bot changed the title renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 0ab735d to da82824 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from da82824 to 717b6b8 Compare renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 717b6b8 to 302507d Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 302507d to b2757fe Compare renovate bot changed the title renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from b2757fe to 7653398 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 7653398 to b791a2b Compare renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from b791a2b to 37cb6bf Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 37cb6bf to f9c0c24 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from f9c0c24 to 2f7301c Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 2f7301c to 37e083f Compare renovate bot changed the title renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 37e083f to d94bde0 Compare renovate bot changed the title renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from d94bde0 to fb2931e Compare Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.14.0->==3.18.3GitHub Vulnerability Alerts
CVE-2021-22570
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
CVE-2022-1941
Summary
A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.
Reporter: ClusterFuzz
Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.
Severity & Impact
As scored by google
Medium 5.7 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Asscored byt NIST
High 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.
Proof of Concept
For reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.
Mitigation / Patching
Please update to the latest available versions of the following packages:
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.