chore: go vuln #1283
Merged
chore: go vuln #1283
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
evan-forbes
added
the
T:dependencies
evan-forbes
requested review from
cmwaters,
staheri14,
rach-id,
ninabarbakadze and
rootulp
as code owners
|
I've seen you have been forced to update every Golang security patch in the core app repo. Why is this necessary? I haven't seen other projects doing this. We may adopt that in the node if there is a good reason, but considering that anyone can compile an app on v1.22 with v1.22.2 binary locally and gain all the security gains, I am not sure that's worth the maintenance overhead |
|
I don't think we are actually calling the bad code anywhere, the ci was just failing tho. We could fix the ci too |
rootulp
approved these changes
Apr 4, 2024
mergify bot
pushed a commit
that referenced
this pull request
Apr 4, 2024
## Description bumping the go version cause apparently there was a vulnerability (cherry picked from commit abc5163) # Conflicts: # .github/workflows/check-generated.yml # .github/workflows/coverage.yml # .github/workflows/e2e-manual.yml # .github/workflows/e2e-nightly-34x.yml # .github/workflows/e2e.yml # .github/workflows/fuzz-nightly.yml # .github/workflows/govulncheck.yml # .github/workflows/pre-release.yml # .github/workflows/release-version.yml # .github/workflows/release.yml # .github/workflows/tests.yml # DOCKER/Dockerfile # README.md # go.mod # go.sum # scripts/proto-gen.sh # test/docker/Dockerfile # test/e2e/docker/Dockerfile
rootulp
added a commit
that referenced
this pull request
Apr 5, 2024
## Description bumping the go version cause apparently there was a vulnerability <hr>This is an automatic backport of pull request #1283 done by [Mergify](https://mergify.com). --------- Co-authored-by: Evan Forbes <42654277+evan-forbes@users.noreply.github.com> Co-authored-by: Rootul Patel <rootulp@gmail.com>
evan-forbes
added a commit
that referenced
this pull request
Apr 5, 2024
bumping the go version cause apparently there was a vulnerability
evan-forbes
pushed a commit
that referenced
this pull request
Apr 5, 2024
Fixes - #1163 we've had some back and forth re this feature, and have decided to implement this simple rpc endpoint as an interim solution while we figure out and design an efficient way of querying transaction status during its life cycle. --------- build(deps): Bump pillow from 10.2.0 to 10.3.0 in /scripts/qa/reporting (#1282) Bumps [pillow](https://github.com/python-pillow/Pillow) from 10.2.0 to 10.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/python-pillow/Pillow/releases">pillow's releases</a>.</em></p> <blockquote> <h2>10.3.0</h2> <p><a href="https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html">https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html</a></p> <h2>Changes</h2> <ul> <li>CVE-2024-28219: Use strncpy to avoid buffer overflow <a href="https://github.com/python-pillow/Pillow/issues/7928">#7928</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Use <code>functools.lru_cache</code> for <code>hopper()</code> <a href="https://github.com/python-pillow/Pillow/issues/7912">#7912</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Raise ValueError if seeking to greater than offset-sized integer in TIFF <a href="https://github.com/python-pillow/Pillow/issues/7883">#7883</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Improve speed of loading QOI images <a href="https://github.com/python-pillow/Pillow/issues/7925">#7925</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Added RGB to I;16N conversion <a href="https://github.com/python-pillow/Pillow/issues/7920">#7920</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Add --report argument to <strong>main</strong>.py to omit supported formats <a href="https://github.com/python-pillow/Pillow/issues/7818">#7818</a> [<a href="https://github.com/nulano"><code>@nulano</code></a>]</li> <li>Added RGB to I;16, I;16L and I;16B conversion <a href="https://github.com/python-pillow/Pillow/issues/7918">#7918</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Fix editable installation with custom build backend and configuration options <a href="https://github.com/python-pillow/Pillow/issues/7658">#7658</a> [<a href="https://github.com/nulano"><code>@nulano</code></a>]</li> <li>Fix putdata() for I;16N on big-endian <a href="https://github.com/python-pillow/Pillow/issues/7209">#7209</a> [<a href="https://github.com/Yay295"><code>@Yay295</code></a>]</li> <li>Determine MPO size from markers, not EXIF data <a href="https://github.com/python-pillow/Pillow/issues/7884">#7884</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Improved conversion from RGB to RGBa, LA and La <a href="https://github.com/python-pillow/Pillow/issues/7888">#7888</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Support FITS images with GZIP_1 compression <a href="https://github.com/python-pillow/Pillow/issues/7894">#7894</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Use I;16 mode for 9-bit JPEG 2000 images <a href="https://github.com/python-pillow/Pillow/issues/7900">#7900</a> [<a href="https://github.com/scaramallion"><code>@scaramallion</code></a>]</li> <li>Raise ValueError if kmeans is negative <a href="https://github.com/python-pillow/Pillow/issues/7891">#7891</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Remove TIFF tag OSUBFILETYPE when saving using libtiff <a href="https://github.com/python-pillow/Pillow/issues/7893">#7893</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Raise ValueError for negative values when loading P1-P3 PPM images <a href="https://github.com/python-pillow/Pillow/issues/7882">#7882</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Added reading of JPEG2000 palettes <a href="https://github.com/python-pillow/Pillow/issues/7870">#7870</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Added alpha_quality argument when saving WebP images <a href="https://github.com/python-pillow/Pillow/issues/7872">#7872</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions <a href="https://github.com/python-pillow/Pillow/issues/7881">#7881</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Removed Python and NumPy pinning on Cygwin <a href="https://github.com/python-pillow/Pillow/issues/7880">#7880</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update UnidentifiedImageError and <strong>version</strong> imports <a href="https://github.com/python-pillow/Pillow/issues/7644">#7644</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Stop reading EPS image at EOF marker <a href="https://github.com/python-pillow/Pillow/issues/7753">#7753</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>PSD layer co-ordinates may be negative <a href="https://github.com/python-pillow/Pillow/issues/7706">#7706</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer <a href="https://github.com/python-pillow/Pillow/issues/7791">#7791</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>When saving GIF frame that restores to background color, do not fill identical pixels <a href="https://github.com/python-pillow/Pillow/issues/7788">#7788</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Fixed reading PNG iCCP compression method <a href="https://github.com/python-pillow/Pillow/issues/7823">#7823</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Allow writing IFDRational to UNDEFINED tag <a href="https://github.com/python-pillow/Pillow/issues/7840">#7840</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Fix logged tag name when loading Exif data <a href="https://github.com/python-pillow/Pillow/issues/7842">#7842</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Use maximum frame size in IHDR chunk when saving APNG images <a href="https://github.com/python-pillow/Pillow/issues/7821">#7821</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Prevent opening P TGA images without a palette <a href="https://github.com/python-pillow/Pillow/issues/7797">#7797</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Use palette when loading ICO images <a href="https://github.com/python-pillow/Pillow/issues/7798">#7798</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Use consistent arguments for load_read and load_seek <a href="https://github.com/python-pillow/Pillow/issues/7713">#7713</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Turn off nullability warnings for macOS SDK <a href="https://github.com/python-pillow/Pillow/issues/7827">#7827</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Fix shift-sign issue in Convert.c <a href="https://github.com/python-pillow/Pillow/issues/7838">#7838</a> [<a href="https://github.com/r-barnes"><code>@r-barnes</code></a>]</li> <li>winbuild: Refactor dependency versions into constants <a href="https://github.com/python-pillow/Pillow/issues/7843">#7843</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Build macOS arm64 wheels natively <a href="https://github.com/python-pillow/Pillow/issues/7852">#7852</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Fixed typo <a href="https://github.com/python-pillow/Pillow/issues/7855">#7855</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Open 16-bit grayscale PNGs as I;16 <a href="https://github.com/python-pillow/Pillow/issues/7849">#7849</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Handle truncated chunks at the end of PNG images <a href="https://github.com/python-pillow/Pillow/issues/7709">#7709</a> [<a href="https://github.com/lajiyuan"><code>@lajiyuan</code></a>]</li> <li>Match mask size to pasted image size in GifImagePlugin <a href="https://github.com/python-pillow/Pillow/issues/7779">#7779</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Changed SupportsGetMesh protocol to be public <a href="https://github.com/python-pillow/Pillow/issues/7841">#7841</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Release GIL while calling <code>WebPAnimDecoderGetNext</code> <a href="https://github.com/python-pillow/Pillow/issues/7782">#7782</a> [<a href="https://github.com/evanmiller"><code>@evanmiller</code></a>]</li> <li>Fixed reading FLI/FLC images with a prefix chunk <a href="https://github.com/python-pillow/Pillow/issues/7804">#7804</a> [<a href="https://github.com/twolife"><code>@twolife</code></a>]</li> <li>Updated package name for Tidelift <a href="https://github.com/python-pillow/Pillow/issues/7810">#7810</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Removed unused code <a href="https://github.com/python-pillow/Pillow/issues/7744">#7744</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst">pillow's changelog</a>.</em></p> <blockquote> <h2>10.3.0 (2024-04-01)</h2> <ul> <li> <p>CVE-2024-28219: Use <code>strncpy</code> to avoid buffer overflow <a href="https://github.com/python-pillow/Pillow/issues/7928">#7928</a> [radarhere, hugovk]</p> </li> <li> <p>Deprecate <code>eval()</code>, replacing it with <code>lambda_eval()</code> and <code>unsafe_eval()</code> <a href="https://github.com/python-pillow/Pillow/issues/7927">#7927</a> [radarhere, hugovk]</p> </li> <li> <p>Raise <code>ValueError</code> if seeking to greater than offset-sized integer in TIFF <a href="https://github.com/python-pillow/Pillow/issues/7883">#7883</a> [radarhere]</p> </li> <li> <p>Add <code>--report</code> argument to <code>__main__.py</code> to omit supported formats <a href="https://github.com/python-pillow/Pillow/issues/7818">#7818</a> [nulano, radarhere, hugovk]</p> </li> <li> <p>Added RGB to I;16, I;16L, I;16B and I;16N conversion <a href="https://github.com/python-pillow/Pillow/issues/7918">#7918</a>, <a href="https://github.com/python-pillow/Pillow/issues/7920">#7920</a> [radarhere]</p> </li> <li> <p>Fix editable installation with custom build backend and configuration options <a href="https://github.com/python-pillow/Pillow/issues/7658">#7658</a> [nulano, radarhere]</p> </li> <li> <p>Fix putdata() for I;16N on big-endian <a href="https://github.com/python-pillow/Pillow/issues/7209">#7209</a> [Yay295, hugovk, radarhere]</p> </li> <li> <p>Determine MPO size from markers, not EXIF data <a href="https://github.com/python-pillow/Pillow/issues/7884">#7884</a> [radarhere]</p> </li> <li> <p>Improved conversion from RGB to RGBa, LA and La <a href="https://github.com/python-pillow/Pillow/issues/7888">#7888</a> [radarhere]</p> </li> <li> <p>Support FITS images with GZIP_1 compression <a href="https://github.com/python-pillow/Pillow/issues/7894">#7894</a> [radarhere]</p> </li> <li> <p>Use I;16 mode for 9-bit JPEG 2000 images <a href="https://github.com/python-pillow/Pillow/issues/7900">#7900</a> [scaramallion, radarhere]</p> </li> <li> <p>Raise ValueError if kmeans is negative <a href="https://github.com/python-pillow/Pillow/issues/7891">#7891</a> [radarhere]</p> </li> <li> <p>Remove TIFF tag OSUBFILETYPE when saving using libtiff <a href="https://github.com/python-pillow/Pillow/issues/7893">#7893</a> [radarhere]</p> </li> <li> <p>Raise ValueError for negative values when loading P1-P3 PPM images <a href="https://github.com/python-pillow/Pillow/issues/7882">#7882</a> [radarhere]</p> </li> <li> <p>Added reading of JPEG2000 palettes <a href="https://github.com/python-pillow/Pillow/issues/7870">#7870</a> [radarhere]</p> </li> <li> <p>Added alpha_quality argument when saving WebP images <a href="https://github.com/python-pillow/Pillow/issues/7872">#7872</a> [radarhere]</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/python-pillow/Pillow/commit/5c89d88eee199ba53f64581ea39b6a1bc52feb1a"><code>5c89d88</code></a> 10.3.0 version bump</li> <li><a href="https://github.com/python-pillow/Pillow/commit/63cbfcfdea2d163ec93bae8d283fcfe4b73b5dc7"><code>63cbfcf</code></a> Update CHANGES.rst [ci skip]</li> <li><a href="https://github.com/python-pillow/Pillow/commit/2776126aa9af322b416eaca247f4f8ebefd08128"><code>2776126</code></a> Merge pull request <a href="https://github.com/python-pillow/Pillow/issues/7928">#7928</a> from python-pillow/lcms</li> <li><a href="https://github.com/python-pillow/Pillow/commit/aeb51cbb169eb3285818ba1390ddf2771d897e6e"><code>aeb51cb</code></a> Merge branch 'main' into lcms</li> <li><a href="https://github.com/python-pillow/Pillow/commit/5beb0b66648db8b542bb5260eed79b25e33d643b"><code>5beb0b6</code></a> Update CHANGES.rst [ci skip]</li> <li><a href="https://github.com/python-pillow/Pillow/commit/cac6ffa7b399ea79b6239984d1307056a0b19af2"><code>cac6ffa</code></a> Merge pull request <a href="https://github.com/python-pillow/Pillow/issues/7927">#7927</a> from python-pillow/imagemath</li> <li><a href="https://github.com/python-pillow/Pillow/commit/f5eeeacf7539eaa0d93a677d7666bc7c142c8d1c"><code>f5eeeac</code></a> Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval</li> <li><a href="https://github.com/python-pillow/Pillow/commit/facf3af93dabcbdd8cdbda8c3b50eefafa3bb04c"><code>facf3af</code></a> Added release notes</li> <li><a href="https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061"><code>2a93aba</code></a> Use strncpy to avoid buffer overflow</li> <li><a href="https://github.com/python-pillow/Pillow/commit/a670597bc30e9d489656fc9d807170b8f3d7ca57"><code>a670597</code></a> Update CHANGES.rst [ci skip]</li> <li>Additional commits viewable in <a href="https://github.com/python-pillow/Pillow/compare/10.2.0...10.3.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/celestiaorg/celestia-core/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: go vuln (#1283) bumping the go version cause apparently there was a vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
bumping the go version cause apparently there was a vulnerability