Skip to content

Bump google.golang.org/protobuf fixing GO-2024-2611 #6827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jetstack-bot merged 2 commits into from
Mar 7, 2024
Merged

Bump google.golang.org/protobuf fixing GO-2024-2611 #6827

jetstack-bot merged 2 commits into from
Mar 7, 2024

Conversation

@inteon
Copy link
Member

@inteon inteon commented Mar 7, 2024 

$ GOTOOLCHAIN=go1.21.8 govulncheck ./... Scanning your code and 1505 packages across 160 dependent modules for known vulnerabilities... === Symbol Results === Vulnerability #1: GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf More info: https://pkg.go.dev/vuln/GO-2024-2611 Module: google.golang.org/protobuf Found in: google.golang.org/protobuf@v1.32.0 Fixed in: google.golang.org/protobuf@v1.33.0 Example traces found: #1: pkg/issuer/acme/dns/clouddns/clouddns.go:162:90: clouddns.DNSProvider.Present calls dns.ResourceRecordSetsListCall.Do, which eventually calls json.Decoder.Peek #2: pkg/issuer/acme/dns/clouddns/clouddns.go:162:90: clouddns.DNSProvider.Present calls dns.ResourceRecordSetsListCall.Do, which eventually calls json.Decoder.Read #3: pkg/issuer/acme/dns/clouddns/clouddns.go:162:90: clouddns.DNSProvider.Present calls dns.ResourceRecordSetsListCall.Do, which eventually calls protojson.Unmarshal Your code is affected by 1 vulnerability from 1 module. This scan found no other vulnerabilities in packages you import or modules you require. Use '-show verbose' for more details.

Kind

/kind cleanup

Release Note

Upgrade google.golang.org/protobuf: fixing GO-2024-2611
@inteon
bump google.golang.org/protobuf fixing GO-2024-2611
531e1e4 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@jetstack-bot jetstack-bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/acme Indicates a PR directly modifies the ACME Issuer code area/testing Issues relating to testing size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 7, 2024
@inteon
run 'make update-licenses'
e0392ea 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
wallrj
wallrj approved these changes Mar 7, 2024
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

As discussed on Slack:
@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 7, 2024
@jetstack-bot
Copy link
Contributor

jetstack-bot commented Mar 7, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 7, 2024
@jetstack-bot jetstack-bot merged commit f3737e6 into cert-manager:master Mar 7, 2024
This was referenced Mar 7, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme Indicates a PR directly modifies the ACME Issuer code area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

3 participants

@inteon @jetstack-bot @wallrj