This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
protobuf	`==3.9.2` -> `==3.18.3`

GitHub Vulnerability Alerts

CVE-2021-22570

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

CVE-2022-1941

Summary

A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.

Reporter: ClusterFuzz

Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.

Severity & Impact

Medium 5.7 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.

Proof of Concept

For reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.

Mitigation / Patching

Please update to the latest available versions of the following packages:

protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)
protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

Codecov Report

Base: 84.02% // Head: 84.02% // No change to project coverage :thumbsup:

Coverage data is based on head (8724abb) compared to base (e927925). Patch has no changes to coverable lines.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #996 +/- ## ======================================= Coverage 84.02% 84.02% ======================================= Files 9 9 Lines 889 889 ======================================= Hits 747 747 Misses 142 142 ``` | [Impacted Files](https://codecov.io/gh/IQTLabs/AISonobuoy/pull/996?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=IQTLabs) | Coverage Δ | | |---|---|---| | [PiBuoyV2/services/sense/sense\_app.py](https://codecov.io/gh/IQTLabs/AISonobuoy/pull/996/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=IQTLabs#diff-UGlCdW95VjIvc2VydmljZXMvc2Vuc2Uvc2Vuc2VfYXBwLnB5) | `77.04% <0.00%> (ø)` | | Help us with your feedback. Take ten seconds to tell us [how you rate us](https://about.codecov.io/nps?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=IQTLabs). Have a feature suggestion? [Share it here.](https://app.codecov.io/gh/feedback/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=IQTLabs)

:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

IQTLabs / AISonobuoy

Update dependency protobuf to v3.18.3 [SECURITY] - autoclosed #996