search

AndreasSko / go-jwlm

A command line tool to easily merge JW Library backups, written in Go.
MIT License
73 stars 4 forks source link

Bump go.mongodb.org/mongo-driver from 1.5.0 to 1.5.1 #139

Open dependabot[bot] opened 1 year ago

dependabot[bot] commented 1 year ago

Bumps go.mongodb.org/mongo-driver from 1.5.0 to 1.5.1.

Release notes

Sourced from go.mongodb.org/mongo-driver's releases.

MongoDB Go Driver 1.5.1

The MongoDB Go driver team is pleased to release 1.5.1 of the official Go driver.

This release contains several bug fixes. Due to the issue below, we recommend all users upgrade to this version of the driver.

Documentation can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. Questions and inquiries can be asked on the MongoDB Developer Community. Bugs can be reported in the Go Driver Jira where a list of current issues can be found.

This CVE describes a security issue with the driver's BSON marshalling system. BSON marshalling functions would incorrectly handle null bytes embedded in BSON key names and the pattern/options fields of a BSON regex value. BSON marshalling functions now correctly validate and error if there is an embedded null byte in BSON key names or the pattern/options fields of a BSON regex value. We recommend all users of the driver upgrade to this version.

CVE ID: CVE-2021-20329 Title: Specific cstrings input may not be properly validated in the MongoDB Go Driver Description: Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0. CVSS score: 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Affected products and versions, MongoDB Go Driver versions <= 1.5.0 Underlying operating systems affected: All

For a full list of tickets included in this release, please see the links below:

Bugs

Tasks

Commits
  • 40c0e70 Update version to v1.5.1
  • 3a89e6c GODRIVER-1923 Error if BSON cstrings contain null bytes (#622)
  • 1a2534c GODRIVER-1935 Update scram/stringprep dependencies (#624)
  • 6ea353a GODRIVER-1918 Check for zero length in readstring (#613)
  • d5e11aa GODRIVER-1919 Support decoding ObjectIDs from hex strings in BSON (#610)
  • e0ed6d6 Update version to v1.5.1+prerelease
  • See full diff in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/AndreasSko/go-jwlm/network/alerts).
coveralls commented 1 year ago

Coverage Status

Coverage: 86.118% (-0.0%) from 86.118% when pulling d87bf093fa7374d4301e86bced6424a6b1a1e53a on dependabot/go_modules/go.mongodb.org/mongo-driver-1.5.1 into 39bf323161784ff5af340ae491cd3e21cb21f4b2 on master.