The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Release Notes
protocolbuffers/protobuf-go (google.golang.org/protobuf)
### [`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)
### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0)
**Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0
This release contains commit https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [https://github.com/golang/protobuf/issues/1583](https://togithub.com/golang/protobuf/issues/1583) and [https://github.com/golang/protobuf/issues/1584](https://togithub.com/golang/protobuf/issues/1584) for details.
### [`v1.31.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.31.0)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.30.0...v1.31.0)
##### Notable changes
**New Features**
- [CL/489316](https://go.dev/cl/489316): types/dynamicpb: add NewTypes
- Add a function to construct a dynamic type registry from a protoregistry.Files
- [CL/489615](https://go.dev/cl/489615): encoding: add MarshalAppend to protojson and prototext
**Minor performance improvements**
- [CL/491596](https://go.dev/cl/491596): encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one
- [CL/500695](https://go.dev/cl/500695): proto: store the size of tag to avoid multiple calculations
**Bug fixes**
- [CL/497935](https://go.dev/cl/497935): internal/order: fix sorting of synthetic oneofs to be deterministic
- [CL/505555](https://go.dev/cl/505555): encoding/protodelim: fix handling of io.EOF
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.30.0->v1.33.0GitHub Vulnerability Alerts
CVE-2024-24786
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Release Notes
protocolbuffers/protobuf-go (google.golang.org/protobuf)
### [`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0 This release contains commit https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [https://github.com/golang/protobuf/issues/1583](https://togithub.com/golang/protobuf/issues/1583) and [https://github.com/golang/protobuf/issues/1584](https://togithub.com/golang/protobuf/issues/1584) for details. ### [`v1.31.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.31.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.30.0...v1.31.0) ##### Notable changes **New Features** - [CL/489316](https://go.dev/cl/489316): types/dynamicpb: add NewTypes - Add a function to construct a dynamic type registry from a protoregistry.Files - [CL/489615](https://go.dev/cl/489615): encoding: add MarshalAppend to protojson and prototext **Minor performance improvements** - [CL/491596](https://go.dev/cl/491596): encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one - [CL/500695](https://go.dev/cl/500695): proto: store the size of tag to avoid multiple calculations **Bug fixes** - [CL/497935](https://go.dev/cl/497935): internal/order: fix sorting of synthetic oneofs to be deterministic - [CL/505555](https://go.dev/cl/505555): encoding/protodelim: fix handling of io.EOFConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.