search

securitybunker / databunker

Secure Vault for Customer PII/PHI/PCI/KYC Records
https://databunker.org/
MIT License
1.26k stars 73 forks source link

Bump go.mongodb.org/mongo-driver from 1.3.0 to 1.5.1 in /src #4

Closed dependabot[bot] closed 3 years ago

dependabot[bot] commented 3 years ago

Bumps go.mongodb.org/mongo-driver from 1.3.0 to 1.5.1.

Release notes

Sourced from go.mongodb.org/mongo-driver's releases.

MongoDB Go Driver 1.5.1

The MongoDB Go driver team is pleased to release 1.5.1 of the official Go driver.

This release contains several bug fixes. Due to the issue below, we recommend all users upgrade to this version of the driver.

Documentation can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. Questions and inquiries can be asked on the MongoDB Developer Community. Bugs can be reported in the Go Driver Jira where a list of current issues can be found.

This CVE describes a security issue with the driver's BSON marshalling system. BSON marshalling functions would incorrectly handle null bytes embedded in BSON key names and the pattern/options fields of a BSON regex value. BSON marshalling functions now correctly validate and error if there is an embedded null byte in BSON key names or the pattern/options fields of a BSON regex value. We recommend all users of the driver upgrade to this version.

CVE ID: CVE-2021-20329 Title: Specific cstrings input may not be properly validated in the MongoDB Go Driver Description: Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0. CVSS score: 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Affected products and versions, MongoDB Go Driver versions <= 1.5.0 Underlying operating systems affected: All

For a full list of tickets included in this release, please see the links below:

Bugs

Tasks

MongoDB Go Driver 1.5.0

The MongoDB Go driver team is pleased to release 1.5.0 of the official Go driver.

This release contains several new features and usability improvements for the driver.

Documentation can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. Questions and inquiries can be asked on the MongoDB Developer Community. Bugs can be reported in the Go Driver Jira where a list of current issues can be found.

This release contains a new errors API for the primary mongo package. Users can now detect duplicate key errors, timeouts, and network errors via the mongo.IsDuplicateKeyError, mongo.IsTimeout, and mongo.IsNetworkError functions, respectively. Additionally, a new UpdateByID function has been added to the mongo.Collection type to update a single document with a given _id value.

The Go Driver now supports using GCP and Azure key management services with the client-side field level encryption feature. In addition, AWS key management support has been enhanced to allow authenticating with temporary AWS credentials. See the MongoDB docs for more information about these improvements. Use of client-side field level encryption requires users to install the latest released version of libmongocrypt. Note: This means that existing applications that use this feature will need to upgrade the libmongocrypt dependency when upgrading to this driver version; otherwise, the application will fail to compile. Users can upgrade to the latest development release of libmongocrypt via the OS-specific instructions for macos, Windows, and Linux.

Monitoring has now been added for various server events. A ServerMonitor set on a mongo.Client monitors changes on the MongoDB deployment it is connected to and reports the changes in the client's representation of the deployment.

The driver will now error if a map with more than one key is used as a hint option, sort option, or for index creation. This is to prevent unexpected behavior, for example, an index being created with the keys in the wrong order.

... (truncated)

Commits
  • 40c0e70 Update version to v1.5.1
  • 3a89e6c GODRIVER-1923 Error if BSON cstrings contain null bytes (#622)
  • 1a2534c GODRIVER-1935 Update scram/stringprep dependencies (#624)
  • 6ea353a GODRIVER-1918 Check for zero length in readstring (#613)
  • d5e11aa GODRIVER-1919 Support decoding ObjectIDs from hex strings in BSON (#610)
  • e0ed6d6 Update version to v1.5.1+prerelease
  • 6760875 Update version to v1.5.0
  • 19a368c GODRIVER-1911 Fix Windows/macos test failures for CSFLE (#603)
  • 2a5f9a4 GODRIVER-1879 Apply connectTimeoutMS to TLS handshake (#594)
  • 2c5b75b GODRIVER-1855 Support AWS authentication with temporary credentials in CSFLE ...
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/securitybunker/databunker/network/alerts).
CLAassistant commented 3 years ago

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

dependabot[bot] commented 3 years ago

Looks like go.mongodb.org/mongo-driver is up-to-date now, so this is no longer needed.