Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (main) #12137

Merged
merged 2 commits into from
Mar 27, 2024
Merged

chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (main) #12137

merged 2 commits into from
Mar 27, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 6, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
google.golang.org/protobuf v1.28.1 -> v1.33.0 age adoption passing confidence
google.golang.org/protobuf v1.30.0 -> v1.33.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-24786

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Infinite loop in JSON unmarshaling in google.golang.org/protobuf

CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

Moderate

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf)

v1.33.0

Compare Source

v1.32.0

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See https://github.com/golang/protobuf/issues/1583 and https://github.com/golang/protobuf/issues/1584 for details.

v1.31.0

Compare Source

Notable changes

New Features

  • CL/489316: types/dynamicpb: add NewTypes
    • Add a function to construct a dynamic type registry from a protoregistry.Files
  • CL/489615: encoding: add MarshalAppend to protojson and prototext

Minor performance improvements

  • CL/491596: encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one
  • CL/500695: proto: store the size of tag to avoid multiple calculations

Bug fixes

  • CL/497935: internal/order: fix sorting of synthetic oneofs to be deterministic
  • CL/505555: encoding/protodelim: fix handling of io.EOF

v1.30.0

Compare Source

Announcement
In the previous two releases, v1.29.0 and v1.29.1, we associated the tags with the wrong commits and thus the tags do not reference any commit in this repository. This tag, v1.30.0, refers to an existing commit again. Sorry for the inconvenience.

Notable changes

New Features

  • CL/449576: protoadapt: helper functions to convert v1 or v2 message to either v1 or v2 message.

v1.29.1

Compare Source

Notable changes

Bug fixes

  • CL/475995: internal/encoding/text: fix parsing of incomplete numbers

v1.29.0

Compare Source

Overview

This version introduces a new package protodelim to marshal and unmarshal size-delimited messages.
It also brings the implementation up to date with the latest protobuf features.

Notable changes

New Features

  • CL/419254: encoding: add protodelim package
  • CL/450775: reflect/protoreflect: add Value.Equal method
  • CL/462315: cmd/protoc-gen-go: make deprecated messages more descriptive
  • CL/473015: encoding/prototext: allow whitespace and comments between minus sign and number in negative numeric literal

Alignment with protobuf

  • CL/426054: types/descriptorpb: update *.pb.go to use latest protoc release, 21.5
  • CL/425554: encoding/protojson: fix parsing of google.protobuf.Timestamp
  • CL/461238: protobuf: remove the check for reserved field numbers
  • CL/469255: types/descriptorpb: regenerate using latest protobuf v22.0 release
  • CL/472696: cmd/protoc-gen-go: support protobuf retention feature

Documentation improvements:

  • CL/464275: proto: document Equal behavior of invalid messages
  • CL/466375: all: update links to Protocol Buffer documentation

Minor performance improvements

  • CL/460215: types/known/structpb: preallocate map in AsMap
  • CL/465115: internal/strs: avoid unnecessary allocations in Builder

Breaking changes

  • CL/461238: protobuf: remove the check for reserved field numbers
    • protowire.(Number).IsValid() no longer returns false for reserved fields because reserved fields are considered semantically valid by the protobuf spec.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner March 6, 2024 05:45
@renovate renovate bot added area/security dependencies Pull requests that update a dependency file labels Mar 6, 2024
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org/protobuf-vulnerability branch from 6eb4348 to e261bf0 Compare March 6, 2024 08:00
@renovate renovate bot requested review from periklis and xperimental as code owners March 6, 2024 08:00
@renovate renovate bot changed the title fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] (main) chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (main) Mar 6, 2024
@xperimental
Copy link
Collaborator

Looks sensible 👍

@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org/protobuf-vulnerability branch from e261bf0 to fbd37c4 Compare March 7, 2024 17:56
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org/protobuf-vulnerability branch from fbd37c4 to 467ed31 Compare March 21, 2024 10:56
@renovate renovate bot force-pushed the deps-update/main-go-google.golang.org/protobuf-vulnerability branch from aa253bf to d1df8db Compare March 26, 2024 11:17
@MichelHollands MichelHollands merged commit bdad1d3 into main Mar 27, 2024
10 checks passed
@MichelHollands MichelHollands deleted the deps-update/main-go-google.golang.org/protobuf-vulnerability branch March 27, 2024 10:52
trevorwhitney added a commit that referenced this pull request Mar 27, 2024
@trevorwhitney
chore: merge with origin/main
99d57d2 
Squashed commit of the following:

commit 15dc2ba
Author: Christian Haudum <christian.haudum@gmail.com>
Date:   Wed Mar 27 19:55:13 2024 +0100

    feat(bloomstore): Support for sharding blocks across multiple different directories (#12375)

    Signed-off-by: Christian Haudum <christian.haudum@gmail.com>

commit c1edb82
Author: J Stickler <julie.stickler@grafana.com>
Date:   Wed Mar 27 14:46:00 2024 -0400

    docs: fix formatting in structured metadata topic (#12382)

commit c9e5c7f
Author: Owen Diehl <ow.diehl@gmail.com>
Date:   Wed Mar 27 10:27:44 2024 -0700

    chore(blooms): removes bloom-gw & bloom-compactor from all non-microservice targets (#12381)

commit 2b8db8b
Author: Travis Patterson <travis.patterson@grafana.com>
Date:   Wed Mar 27 08:48:04 2024 -0600

    fix: attempt non-string label filtering when errors are present (#12378)

commit f99e6ac
Author: Dylan Guedes <djmgguedes@gmail.com>
Date:   Wed Mar 27 10:51:21 2024 -0300

    docs: Add missing changelog entry for mTLS memcached addition (#12377)

commit 016daa5
Author: Karsten Jeschkies <karsten.jeschkies@grafana.com>
Date:   Wed Mar 27 14:28:32 2024 +0100

    fix: Track all OTLP metadata bytes in usage tracker. (#12376)

    Co-authored-by: Vladyslav Diachenko <82767850+vlad-diachenko@users.noreply.github.com>

commit aca2a38
Author: Paul Rogers <129207811+paul1r@users.noreply.github.com>
Date:   Wed Mar 27 07:50:25 2024 -0400

    test: gcs object client test data race (#12324)

commit bdad1d3
Author: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Date:   Wed Mar 27 10:52:30 2024 +0000

    chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (main) (#12137)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    Co-authored-by: Michel Hollands <42814411+MichelHollands@users.noreply.github.com>

commit ca667aa
Author: Christian Haudum <christian.haudum@gmail.com>
Date:   Wed Mar 27 09:53:33 2024 +0100

    chore(bloom-gw): Cleanup tracing implementation (#12368)

    The huge amount of `bloomgateway.ProcessTask` spans caused problem with Tempo's span limit, resulting in dropped/dangling spans.

    Since the processing time is now recorded also in a metrics.go-like stats log line, we can remove the spans and only add a log event with the summary to the main span of the request handler.

    This PR also unifies the event logging in the index gateway, and adds the real processing time (not aggregated processing time) to the request stats.

    ---
    Signed-off-by: Christian Haudum <christian.haudum@gmail.com>

commit 120b76d
Author: Owen Diehl <ow.diehl@gmail.com>
Date:   Wed Mar 27 00:16:07 2024 -0700

    chore(blooms): misc fixes (#12369)

    unbounds bloom-gw-client concurrency

    removes unused log_gateway_requests param

    adds note wrt bloom-gw results cache keygen issue

    add msg field to stats log

    sets bloomshipper download workers count to 16 default

commit 19c046f
Author: Christian Haudum <christian.haudum@gmail.com>
Date:   Tue Mar 26 23:07:02 2024 +0100

    chore(blooms): Make max bloom page size for querying configurable (#12337)

    Signed-off-by: Christian Haudum <christian.haudum@gmail.com>

commit 9810e8e
Author: Owen Diehl <ow.diehl@gmail.com>
Date:   Tue Mar 26 11:57:27 2024 -0700

    chore(blooms): computed fields for bloomgw stats logging (#12367)

commit 6b3bbb3
Author: J Stickler <julie.stickler@grafana.com>
Date:   Tue Mar 26 14:22:48 2024 -0400

    docs: Update release notes for 2.9.6 (#12365)

commit 30ac88b
Author: Owen Diehl <ow.diehl@gmail.com>
Date:   Tue Mar 26 11:00:47 2024 -0700

    chore(blooms): increase blockpool by factor-of-2 (#12363)

commit d3266a1
Author: Pangidoan Butar <38452094+doanbutar@users.noreply.github.com>
Date:   Wed Mar 27 01:53:05 2024 +0800

    docs: Update structured_metadata.md (#12355)

    Co-authored-by: J Stickler <julie.stickler@grafana.com>

commit c0c7a19
Author: J Stickler <julie.stickler@grafana.com>
Date:   Tue Mar 26 11:30:00 2024 -0400

    docs: Update release notes for recent 2.9 releases (#12349)

commit 9af191f
Author: Christian Haudum <christian.haudum@gmail.com>
Date:   Tue Mar 26 15:09:40 2024 +0100

    feat(bloom-gw): Add `metrics.go` style log line to bloom gateway `FilterChunks` call (#12354)

    This PR adds a "metrics.go" style log line to the bloom gateway that contains latencies for queueing, processing, post-processing, as well as number of chunks/series requested/filtered.

    This log line should give operators a better understanding where time is spent for individual requests.

    Example log line:

    ```
    ts=2024-03-26T13:16:11.869619964Z caller=spanlogger.go:109 component=bloom-gateway tenant=XXX method=bloomgateway.FilterChunkRefs user=XXX traceID=6239d49e1e88f88645bd7f1f6f1b85c8 level=info status=success tasks=1 series_requested=35 series_filtered=31 chunks_requested=103 chunks_filtered=93 queue_time=4.108128936s metas_fetch_time=22.040408ms blocks_fetch_time=1.284575ms processing_time=30.215863002s post_processing_time=16.084µs
    ```

    Signed-off-by: Christian Haudum <christian.haudum@gmail.com>

commit 5c6a031
Author: Salva Corts <salva.corts@grafana.com>
Date:   Tue Mar 26 14:59:26 2024 +0100

    fix(blooms): Not filters should always match (#12358)

commit 64c7812
Author: Ashwanth <iamashwanth@gmail.com>
Date:   Tue Mar 26 18:55:12 2024 +0530

    fix(codec): inject disable wrappers in ctx (#12352)

commit a36483b
Author: Owen Diehl <ow.diehl@gmail.com>
Date:   Tue Mar 26 03:36:49 2024 -0700

    feat(blooms): bloom integration in query planning (#12208)

    Signed-off-by: Owen Diehl <ow.diehl@gmail.com>

commit d5ecf9a
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Tue Mar 26 10:21:48 2024 +0000

    chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /operator (#12207)

    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    Co-authored-by: Periklis Tsirakidis <periklis@redhat.com>

commit 774b01d
Author: Ashwanth <iamashwanth@gmail.com>
Date:   Tue Mar 26 13:15:54 2024 +0530

    fix(ruler): pass noop analyseRules to rules manager (#12353)

commit 03982c2
Author: arukiidou <arukiidou@yahoo.co.jp>
Date:   Tue Mar 26 16:10:31 2024 +0900

    docs: fix otlp guide - collector config example (#12328)

    Signed-off-by: junya koyama <arukiidou@yahoo.co.jp>
    Co-authored-by: Sandeep Sukhani <sandeep.d.sukhani@gmail.com>

commit 664e569
Author: Trevor Whitney <trevorjwhitney@gmail.com>
Date:   Mon Mar 25 16:12:58 2024 -0600

    feat: prepare 3.0.0 release candidate (#12348)

    Release-As: 3.0.0-alpha.1

commit 40f695e
Author: Trevor Whitney <trevorjwhitney@gmail.com>
Date:   Mon Mar 25 15:29:12 2024 -0600

    ci: prepare 3.0 release workflow (#12344)

    Release-As: 3.0.0-alpha.1

commit 04398a1
Author: Travis Patterson <travis.patterson@grafana.com>
Date:   Mon Mar 25 14:52:24 2024 -0600

    fix: log state of 'disable pipeline wrappers' (#12345)
rhnasc pushed a commit to inloco/loki that referenced this pull request Apr 12, 2024
@renovate @MichelHollands @rhnasc
chore(deps): update module google.golang.org/protobuf to v1.33.0 [sec…
86c1230 
…urity] (main) (grafana#12137)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Michel Hollands <42814411+MichelHollands@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MichelHollands MichelHollands MichelHollands approved these changes

@periklis periklis Awaiting requested review from periklis

@xperimental xperimental Awaiting requested review from xperimental

Assignees
No one assigned
Labels
area/security dependencies Pull requests that update a dependency file size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@xperimental @MichelHollands @periklis