SQL injection can occur when all of the following conditions are met:
The non-default simple protocol is used.
A placeholder for a numeric value must be immediately preceded by a minus.
There must be a second placeholder for a string value after the first placeholder; both must be on the same line.
Both parameter values must be user-controlled.
Thanks to Paul Gerste for reporting this issue.
Fix CVE-2024-27304
SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer
overflow in the calculated message size can cause the one large message to be sent as multiple messages under the
attacker's control.
Thanks to Paul Gerste for reporting this issue.
Fix *dbTx.Exec not checking if it is already closed
4.18.1 (February 27, 2023)
Fix: Support pgx v4 and v5 stdlib in same program (Tomáš Procházka)
4.18.0 (February 11, 2023)
Upgrade pgconn to v1.14.0
Upgrade pgproto3 to v2.3.2
Upgrade pgtype to v1.14.0
Fix query sanitizer when query text contains Unicode replacement character
Fix context with value in BeforeConnect (David Harju)
Support pgx v4 and v5 stdlib in same program (Vitalii Solodilov)
server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487)
In addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.
Release 1.56.2
status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)
Release 1.56.1
client: handle empty address lists correctly in addrConn.updateAddrs
Release 1.56.0
New Features
client: support channel idleness using WithIdleTimeout dial option (#6263)
This feature is currently disabled by default, but will be enabled with a 30 minute default in the future.
client: when using pickfirst, keep channel state in TRANSIENT_FAILURE until it becomes READY (gRFC A62) (#6306)
xds: Add support for Custom LB Policies (gRFC A52) (#6224)
orca: fix a race at startup of out-of-band metric subscriptions that would cause the report interval to request 0 (#6245)
xds/xdsresource: Fix Outlier Detection Config Handling and correctly set xDS Defaults (#6361)
xds/outlierdetection: Fix Outlier Detection Config Handling by setting defaults in ParseConfig() (#6361)
API Changes
orca: allow a ServerMetricsProvider to be passed to the ORCA service and ServerOption (#6223)
Release 1.55.1
status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)
server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487)
In addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.
Release 1.56.2
status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)
Release 1.56.1
client: handle empty address lists correctly in addrConn.updateAddrs
Release 1.56.0
New Features
client: support channel idleness using WithIdleTimeout dial option (#6263)
This feature is currently disabled by default, but will be enabled with a 30 minute default in the future.
client: when using pickfirst, keep channel state in TRANSIENT_FAILURE until it becomes READY (gRFC A62) (#6306)
xds: Add support for Custom LB Policies (gRFC A52) (#6224)
orca: fix a race at startup of out-of-band metric subscriptions that would cause the report interval to request 0 (#6245)
xds/xdsresource: Fix Outlier Detection Config Handling and correctly set xDS Defaults (#6361)
xds/outlierdetection: Fix Outlier Detection Config Handling by setting defaults in ParseConfig() (#6361)
API Changes
orca: allow a ServerMetricsProvider to be passed to the ORCA service and ServerOption (#6223)
Release 1.55.1
status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)
Upgrade dependencies of the OpenTelemetry Go Metric SDK to use the new v0.32.2 release
Avoid getting a new Tracer for every RPC in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#2835)
Conditionally compute message size for tracing events using proto v2 API rather than legacy v1 API in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#2647)
Deprecated
The Inject function in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc is deprecated. (#2838)
The Extract function in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc is deprecated. (#2838)
Release v0.36.1
Changed
Upgrade dependencies of the OpenTelemetry Go Metric SDK to use the new v0.32.1 release.
Add gcp.gce.instance.name and gcp.gce.instance.hostname resource attributes to go.opentelemetry.io/contrib/detectors/gcp. (#4263)
Changed
The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/ec2 have been upgraded to v1.21.0. (#4265)
The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/ecs have been upgraded to v1.21.0. (#4265)
The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/eks have been upgraded to v1.21.0. (#4265)
The semantic conventions used by go.opentelemetry.io/contrib/detectors/aws/lambda have been upgraded to v1.21.0. (#4265)
The semantic conventions used by go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-lambda-go/otellambda have been upgraded to v1.21.0. (#4265)
The faas.execution attribute is now faas.invocation_id.
The faas.id attribute is now aws.lambda.invoked_arn.
The semantic conventions used by go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws have been upgraded to v1.21.0. (#4265)
The http.request.method attribute will only allow known HTTP methods from the metrics generated by go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#4277)
Removed
The high cardinality attributes net.sock.peer.addr, net.sock.peer.port, http.user_agent, enduser.id, and http.client_ip were removed from the metrics generated by go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#4277)
The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego module is removed. (#4295)
The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/go-kit/kit/otelkit module is removed. (#4295)
The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/Shopify/sarama/otelsarama module is removed. (#4295)
The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/bradfitz/gomemcache/memcache/otelmemcache module is removed. (#4295)
The deprecated go.opentelemetry.io/contrib/instrumentation/github.com/gocql/gocql/otelgocql module is removed. (#4295)
[1.18.0/0.43.0/0.12.0] - 2023-08-28
Added
Add NewMiddleware function in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. (#2964)
The go.opentelemetry.io/contrib/exporters/autoexport package to provide configuration of trace exporters with useful defaults and environment variable support. (#2753, #4100, #4130, #4132, #4134)
WithRouteTag in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp adds HTTP route attribute to metrics. (#615)
Add WithSpanOptions option in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc. (#3768)
Add WithFilter option to go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux. (#4230)
Changed
Change interceptors in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to disable SENT/RECEIVED events.
Use WithMessageEvents() to turn back on. (#3964)
Changed
go.opentelemetry.io/contrib/detectors/gcp: Detect faas.instance instead of faas.id, since faas.id is being removed. (#4198)
Fixed
AWS XRay Remote Sampling to cap quotaBalance to 1x quota in go.opentelemetry.io/contrib/samplers/aws/xray. (#3651, #3652)
Bumps the go_modules group with 1 update in the /api3 directory: golang.org/x/crypto. Bumps the go_modules group with 4 updates in the /backend directory: golang.org/x/crypto, github.com/docker/docker, github.com/jackc/pgx/v4 and google.golang.org/grpc. Bumps the go_modules group with 1 update in the /plugins/api directory: golang.org/x/net. Bumps the go_modules group with 1 update in the /plugins/common directory: golang.org/x/net. Bumps the go_modules group with 2 updates in the /plugins/gateway/kong directory: golang.org/x/net and google.golang.org/protobuf. Bumps the go_modules group with 3 updates in the /plugins/otel-collector/apiclarityexporter directory: golang.org/x/net, google.golang.org/grpc and go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. Bumps the go_modules group with 2 updates in the /plugins/taper directory: golang.org/x/net and google.golang.org/grpc. Bumps the go_modules group with 1 update in the /plugins/taper/extensions/http directory: golang.org/x/net.
Updates
golang.org/x/crypto
from 0.1.0 to 0.17.0Commits
9d2ee97
ssh: implement strict KEX protocol changes4e5a261
ssh: close net.Conn on all NewServerConn errors152cdb1
x509roots/fallback: update bundlefdfe1f8
ssh: defer channel window adjustmentb8ffc16
blake2b: drop Go 1.6, Go 1.8 compatibility7e6fbd8
ssh: wrap errors from client handshakebda2f3f
argon2: avoid clobbering BP325b735
ssh/test: skip TestSSHCLIAuth on Windows1eadac5
go.mod: update golang.org/x dependenciesb2d7c26
ssh: add (*Client).DialContext methodUpdates
golang.org/x/crypto
from 0.1.0 to 0.17.0Commits
9d2ee97
ssh: implement strict KEX protocol changes4e5a261
ssh: close net.Conn on all NewServerConn errors152cdb1
x509roots/fallback: update bundlefdfe1f8
ssh: defer channel window adjustmentb8ffc16
blake2b: drop Go 1.6, Go 1.8 compatibility7e6fbd8
ssh: wrap errors from client handshakebda2f3f
argon2: avoid clobbering BP325b735
ssh/test: skip TestSSHCLIAuth on Windows1eadac5
go.mod: update golang.org/x dependenciesb2d7c26
ssh: add (*Client).DialContext methodUpdates
golang.org/x/net
from 0.2.0 to 0.10.0Commits
Updates
golang.org/x/sys
from 0.2.0 to 0.15.0Commits
13b15b7
unix: add IoctlLoopConfigure on linux11eadc0
windows: add AddDllDirectory and RemoveDllDirectorye4099bf
unix: fix trimmed socket opt string in GetsockoptString9888904
unix: update BPF constants for Linux kernel 6.62d0c736
unix: use fchmodat2 in Fchmodatec230da
unix: use fcntl(2) libc stub on OpenBSDcb378ae
syscall: call getfsstat via libc on openbsd661d749
unix: use libc stubs for OpenBSD pledge+unveil1168e25
unix/linux: update Linux kernel to v6.6249e16f
unix: require minimum OpenBSD 6.4 for pledge, unveilUpdates
golang.org/x/text
from 0.4.0 to 0.14.0Commits
6c97a16
all: update go directive to 1.18f488e19
unicode/norm: fix function name on commentfb697c0
cmd/gotext: actually use -dir flagf3e69ed
cmd/gotext: fix misbehaviorsab07ad1
all: remove repetitive wordse503480
encoding/japanese, language: shorten very long sub-test names2df65d7
all: regenerate for Unicode 15.0.0e3c038a
all: prepare for Unicode 15.0.03a7a255
internal/export/idna: make more space for mapping indexd61dd50
go.mod: delete repeated "indirect"Updates
github.com/docker/docker
from 20.10.14+incompatible to 20.10.27+incompatibleRelease notes
Sourced from github.com/docker/docker's releases.
... (truncated)
Commits
81ebe71
Merge pull request from GHSA-jq35-85cj-fj4pfb63665
Merge pull request #46705 from thaJeztah/20.10_backport_atomic-layer-data-writeb967d89
Merge pull request #46692 from corhere/backport-20.10/update-x-net-v0.172c22bd5
vendor: golang.org/x/net v0.17.0d862c21
Update to go1.20.10cb47414
Merge pull request #46696 from corhere/backport-20.10/go1.20-enablementea4eb73
Merge pull request #46695 from corhere/backport-20.10/safer-fileinfo6c523aa
hack: fix suppressing Xattrs lint errors31b8374
pkg/archive: audit gosec file-traversal lints8e44855
Remove local fork of archive/tar packageUpdates
github.com/jackc/pgx/v4
from 4.17.2 to 4.18.2Changelog
Sourced from github.com/jackc/pgx/v4's changelog.
Commits
14690df
Update changelog779548e
Update required Go version to 1.1780e9662
Update github.com/jackc/pgconn to v1.14.30bf9ac3
Fix erroneous test casef94eb0e
Always wrap arguments in parentheses in the SQL sanitizer826a892
Fix SQL injection via line comment creation in simple protocol7d882f9
Fix *dbTx.Exec not checking if it is already closed1d07b8b
go mod tidy13468eb
Release v4.18.17fed69b
simplify duplicatepgx
registration guardUpdates
google.golang.org/grpc
from 1.43.0 to 1.56.3Release notes
Sourced from google.golang.org/grpc's releases.
... (truncated)
Commits
1055b48
Update version.go to 1.56.3 (#6713)5efd7bd
server: prohibit more than MaxConcurrentStreams handlers from running at once...bd1f038
Upgrade version.go to 1.56.3-dev (#6434)faab873
Update version.go to v1.56.2 (#6432)6b0b291
status: fix panic when servers return a wrapped error with status OK (#6374) ...ed56401
[PSM interop] Don't fail target if sub-target already failed (#6390) (#6405)cd6a794
Update version.go to v1.56.2-dev (#6387)5b67e5e
Update version.go to v1.56.1 (#6386)d0f5150
client: handle empty address lists correctly in addrConn.updateAddrs (#6354) ...997c1ea
Change version to 1.56.1-dev (#6345)Updates
google.golang.org/protobuf
from 1.28.1 to 1.30.0Updates
golang.org/x/net
from 0.0.0-20211101193420-4a448f8816b3 to 0.17.0Commits
Updates
golang.org/x/net
from 0.0.0-20211101193420-4a448f8816b3 to 0.17.0Commits
Updates
golang.org/x/sys
from 0.0.0-20210423082822-04245dca01da to 0.13.0Commits
13b15b7
unix: add IoctlLoopConfigure on linux11eadc0
windows: add AddDllDirectory and RemoveDllDirectorye4099bf
unix: fix trimmed socket opt string in GetsockoptString9888904
unix: update BPF constants for Linux kernel 6.62d0c736
unix: use fchmodat2 in Fchmodatec230da
unix: use fcntl(2) libc stub on OpenBSDcb378ae
syscall: call getfsstat via libc on openbsd661d749
unix: use libc stubs for OpenBSD pledge+unveil1168e25
unix/linux: update Linux kernel to v6.6249e16f
unix: require minimum OpenBSD 6.4 for pledge, unveilUpdates
golang.org/x/text
from 0.3.7 to 0.13.0Commits
6c97a16
all: update go directive to 1.18f488e19
unicode/norm: fix function name on commentfb697c0
cmd/gotext: actually use -dir flagf3e69ed
cmd/gotext: fix misbehaviorsab07ad1
all: remove repetitive wordse503480
encoding/japanese, language: shorten very long sub-test names2df65d7
all: regenerate for Unicode 15.0.0e3c038a
all: prepare for Unicode 15.0.03a7a255
internal/export/idna: make more space for mapping indexd61dd50
go.mod: delete repeated "indirect"Updates
golang.org/x/net
from 0.0.0-20211112202133-69e39bad7dc2 to 0.17.0Commits
Updates
golang.org/x/sys
from 0.0.0-20210615035016-665e8c7367d1 to 0.13.0Commits
13b15b7
unix: add IoctlLoopConfigure on linux11eadc0
windows: add AddDllDirectory and RemoveDllDirectorye4099bf
unix: fix trimmed socket opt string in GetsockoptString9888904
unix: update BPF constants for Linux kernel 6.62d0c736
unix: use fchmodat2 in Fchmodatec230da
unix: use fcntl(2) libc stub on OpenBSDcb378ae
syscall: call getfsstat via libc on openbsd661d749
unix: use libc stubs for OpenBSD pledge+unveil1168e25
unix/linux: update Linux kernel to v6.6249e16f
unix: require minimum OpenBSD 6.4 for pledge, unveilUpdates
golang.org/x/text
from 0.3.7 to 0.13.0Commits
6c97a16
all: update go directive to 1.18f488e19
unicode/norm: fix function name on commentfb697c0
cmd/gotext: actually use -dir flagf3e69ed
cmd/gotext: fix misbehaviorsab07ad1
all: remove repetitive wordse503480
encoding/japanese, language: shorten very long sub-test names2df65d7
all: regenerate for Unicode 15.0.0e3c038a
all: prepare for Unicode 15.0.03a7a255
internal/export/idna: make more space for mapping indexd61dd50
go.mod: delete repeated "indirect"Updates
google.golang.org/protobuf
from 1.28.0 to 1.33.0Updates
golang.org/x/net
from 0.0.0-20220225172249-27dd8689420f to 0.17.0Commits
Updates
golang.org/x/sys
from 0.0.0-20220808155132-1c4a2a72c664 to 0.13.0Commits
13b15b7
unix: add IoctlLoopConfigure on linux11eadc0
windows: add AddDllDirectory and RemoveDllDirectorye4099bf
unix: fix trimmed socket opt string in GetsockoptString9888904
unix: update BPF constants for Linux kernel 6.62d0c736
unix: use fchmodat2 in Fchmodatec230da
unix: use fcntl(2) libc stub on OpenBSDcb378ae
syscall: call getfsstat via libc on openbsd661d749
unix: use libc stubs for OpenBSD pledge+unveil1168e25
unix/linux: update Linux kernel to v6.6249e16f
unix: require minimum OpenBSD 6.4 for pledge, unveilUpdates
golang.org/x/text
from 0.3.7 to 0.13.0Commits
6c97a16
all: update go directive to 1.18f488e19
unicode/norm: fix function name on commentfb697c0
cmd/gotext: actually use -dir flagf3e69ed
cmd/gotext: fix misbehaviorsab07ad1
all: remove repetitive wordse503480
encoding/japanese, language: shorten very long sub-test names2df65d7
all: regenerate for Unicode 15.0.0e3c038a
all: prepare for Unicode 15.0.03a7a255
internal/export/idna: make more space for mapping indexd61dd50
go.mod: delete repeated "indirect"Updates
google.golang.org/grpc
from 1.49.0 to 1.56.3Release notes
Sourced from google.golang.org/grpc's releases.
... (truncated)
Commits
1055b48
Update version.go to 1.56.3 (#6713)5efd7bd
server: prohibit more than MaxConcurrentStreams handlers from running at once...bd1f038
Upgrade version.go to 1.56.3-dev (#6434)faab873
Update version.go to v1.56.2 (#6432)6b0b291
status: fix panic when servers return a wrapped error with status OK (#6374) ...ed56401
[PSM interop] Don't fail target if sub-target already failed (#6390) (#6405)cd6a794
Update version.go to v1.56.2-dev (#6387)5b67e5e
Update version.go to v1.56.1 (#6386)d0f5150
client: handle empty address lists correctly in addrConn.updateAddrs (#6354) ...997c1ea
Change version to 1.56.1-dev (#6345)Updates
google.golang.org/protobuf
from 1.28.1 to 1.30.0Updates
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
from 0.36.0 to 0.44.0Release notes
Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's releases.
Changelog
Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp's changelog.
... (truncated)
Commits
fdfa6e3
Release v1.19.0/v0.44.0/v0.13.0 (#4299)aea7540
build(deps): bump github.com/aws/aws-sdk-go in /detectors/aws/ec2 (#4297)7e88614
Remove otelbeego, otelkit, otelsarama, otelmemcache, otelgocql (#4295)14f153e
build(deps): bump actions/checkout from 3 to 4 (#4291)01c596d
dependabot updates Mon Sep 11 05:08:50 UTC 2023 (#4294)50ca48f
Remove high cardanility metrics from otelhttp (#4277)b6fc62f
Update go versions used in workflow (#4278)7a8f53c
Add new gcp host attributes (#4263)aab5f49
[mux] Add request filters like otelhttp (#4230)3ad5a2c
Deprecate otelmemcache, otelgocql (#4164)Updates
golang.org/x/net
from 0.0.0-20211101193420-4a448f8816b3 to 0.17.0Commits
Updates
golang.org/x/sys
from 0.0.0-20211025201205-69cdffdb9359 to 0.13.0Commits
13b15b7
unix: add IoctlLoopConfigure on linux11eadc0
windows: add AddDllDirectory and RemoveDllDirectorye4099bf
unix: fix trimmed socket opt string in GetsockoptString9888904
unix: update BPF constants for Linux kernel 6.62d0c736
unix: use fchmodat2 in Fchmodatec230da
unix: use fcntl(2) libc stub on OpenBSDcb378ae
syscall: call getfsstat via libc on openbsd661d749
unix: use libc stubs for OpenBSD pledge+unveil1168e25
unix/linux: update Linux kernel to v6.6249e16f
unix: require minimum OpenBSD 6.4 for pledge, unveilUpdates
golang.org/x/text
from 0.3.7 to 0.13.0Commits
6c97a16
all: update go directive to 1.18f488e19
unicode/norm: fix function name on commentfb697c0
cmd/gotext: actually use -dir flagf3e69ed
cmd/gotext: fix misbehaviorsab07ad1
all: remove repetitive wordse503480
encoding/japanese, language: shorten very long sub-test names2df65d7
all: regenerate for Unicode 15.0.0e3c038a
all: prepare for Unicode 15.0.03a7a255
internal/export/idna: make more space for mapping index