canonical / desktop-security-center

GNU General Public License v3.0
13 stars 5 forks source link

fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] - autoclosed #36

Closed renovate[bot] closed 5 months ago

renovate[bot] commented 7 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
google.golang.org/protobuf v1.31.0 -> v1.33.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-24786

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.


Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf) ### [`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0 This release contains commit https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [https://github.com/golang/protobuf/issues/1583](https://togithub.com/golang/protobuf/issues/1583) and [https://github.com/golang/protobuf/issues/1584](https://togithub.com/golang/protobuf/issues/1584) for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] commented 7 months ago

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

The artifact failure details are included below:

File name: packages/go.sum
Command failed: go get -d -t ./...
go: downloading github.com/godbus/dbus/v5 v5.1.0
go: downloading github.com/stretchr/testify v1.8.4
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
go: downloading github.com/tidwall/gjson v1.17.0
go: downloading google.golang.org/grpc v1.60.1
go: downloading google.golang.org/protobuf v1.33.0
go: downloading github.com/tidwall/match v1.1.1
go: downloading github.com/tidwall/pretty v1.2.0
go: downloading golang.org/x/net v0.16.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading golang.org/x/sys v0.13.0
go: downloading github.com/golang/protobuf v1.5.3
go: downloading golang.org/x/text v0.13.0
go: downloading github.com/canonical/desktop-security-center v0.0.0-20240304105927-9780cd75384e
go: github.com/canonical/desktop-security-center/packages/backend imports
    github.com/canonical/desktop-security-center/packages/proto: cannot find module providing package github.com/canonical/desktop-security-center/packages/proto