Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[NET-8367] security: upgrade google.golang.org/protobuf to 1.33.0 #20801

Merged
merged 2 commits into from
Mar 6, 2024
Merged

[NET-8367] security: upgrade google.golang.org/protobuf to 1.33.0 #20801

merged 2 commits into from
Mar 6, 2024

Conversation

zalimeni
Copy link
Member

@zalimeni zalimeni commented Mar 6, 2024
edited
Loading

Resolves CVE-2024-24786.

Description

Change made by running

make go-mod-get DEP_VERSION=google.golang.org/protobuf@v1.33.0
make go-mod-get DEP_VERSION=github.com/golang/protobuf@v1.5.4

to bump dependency across submodules, then

make --always-make proto

to update proto files (comments only).

Will likely require manual fixes to backport but possible it'll inline, so starting w/ the labels.

Testing & Reproduction steps

CI continues to pass.

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@zalimeni zalimeni requested a review from wilkermichael March 6, 2024 20:55
@zalimeni zalimeni requested a review from a team as a code owner March 6, 2024 20:55
@github-actions github-actions bot added theme/api Relating to the HTTP API interface pr/dependencies PR specifically updates dependencies of project labels Mar 6, 2024
@zalimeni zalimeni force-pushed the zalimeni/bump-protobuf branch from 276c5e9 to 0716cd1 Compare March 6, 2024 20:57
wilkermichael
wilkermichael approved these changes Mar 6, 2024
View reviewed changes
Copy link
Contributor

@wilkermichael wilkermichael left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just add the appropriate backport labels to the branches this affects.

@zalimeni zalimeni added backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. backport/1.17 This release series is no longer active on CE. Use backport/ent/1.17. backport/1.18 labels Mar 6, 2024
@zalimeni zalimeni enabled auto-merge (squash) March 6, 2024 21:07
@zalimeni zalimeni force-pushed the zalimeni/bump-protobuf branch from 0716cd1 to a407616 Compare March 6, 2024 21:22
@zalimeni zalimeni changed the title security: upgrade google.golang.org/protobuf to 1.33.0 [NET-8367] security: upgrade google.golang.org/protobuf to 1.33.0 Mar 6, 2024
@zalimeni
chore: upgrade github.com/golang/protobuf to v1.5.4
455f67f 
Required to fix incompatibility with google.golang.org/protobuf. See
golang/protobuf#1597 for more details.
@zalimeni
Copy link
Member Author

zalimeni commented Mar 6, 2024

Had to additionally upgrade github.com/golang/protobuf to 1.5.4 due to incompatibility with patched google.golang.org/protobuf; see golang/protobuf@b7697bb.

@zalimeni zalimeni merged commit d4761c0 into main Mar 6, 2024
84 of 85 checks passed
@zalimeni zalimeni deleted the zalimeni/bump-protobuf branch March 6, 2024 23:04
This was referenced Mar 6, 2024
Merged
Merged
Merged
Merged
@adamcstephens adamcstephens mentioned this pull request Mar 30, 2024
Merged
13 tasks
This was referenced Sep 26, 2024
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wilkermichael wilkermichael wilkermichael approved these changes

Assignees
No one assigned
Labels
backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. backport/1.17 This release series is no longer active on CE. Use backport/ent/1.17. pr/dependencies PR specifically updates dependencies of project theme/api Relating to the HTTP API interface
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zalimeni @wilkermichael