Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vendor: github.com/docker/docker 70e46f2c7c2d (v26.0.0-rc3-dev) #4944

Merged
merged 3 commits into from
Mar 19, 2024

Commits on Mar 16, 2024

  1. vendor: github.com/containerd/containerd v1.7.14

    no changes in vendored files, but now requires go1.21
    
    full diff: containerd/containerd@v1.7.13...v1.7.14
    
    Signed-off-by: Sebastiaan van Stijn <[email protected]>
    thaJeztah committed Mar 16, 2024
    Configuration menu
    Copy the full SHA
    115c8d5 View commit details
    Browse the repository at this point in the history
  2. vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobu…

    …f v1.5.4
    
    full diffs:
    
    - protocolbuffers/protobuf-go@v1.31.0...v1.33.0
    - golang/protobuf@v1.5.3...v1.5.4
    
    From the Go security announcement list;
    
    > Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
    > the google.golang.org/protobuf/encoding/protojson package which could cause
    > the Unmarshal function to enter an infinite loop when handling some invalid
    > inputs.
    >
    > This condition could only occur when unmarshaling into a message which contains
    > a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
    > option is set. Unmarshal now correctly returns an error when handling these
    > inputs.
    >
    > This is CVE-2024-24786.
    
    In a follow-up post;
    
    > A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
    > option is set (as well as when unmarshaling into any message which contains a
    > google.protobuf.Any). There is no UnmarshalUnknown option.
    >
    > In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
    > introduced an incompatibility with the older github.com/golang/protobuf
    > module. (golang/protobuf#1596) Users of the older
    > module should update to github.com/golang/[email protected].
    
    govulncheck results in our code shows that this does not affect the CLI:
    
        govulncheck ./...
        Scanning your code and 448 packages across 72 dependent modules for known vulnerabilities...
    
        === Symbol Results ===
    
        No vulnerabilities found.
    
        Your code is affected by 0 vulnerabilities.
        This scan also found 1 vulnerability in packages you import and 0
        vulnerabilities in modules you require, but your code doesn't appear to call
        these vulnerabilities.
        Use '-show verbose' for more details.
    
    Signed-off-by: Sebastiaan van Stijn <[email protected]>
    thaJeztah committed Mar 16, 2024
    Configuration menu
    Copy the full SHA
    a4a79d7 View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    38c3ff6 View commit details
    Browse the repository at this point in the history