Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: upgrade protobuf lib to 1.33.0 #20100

Merged
merged 2 commits into from
Mar 8, 2024
Merged

deps: upgrade protobuf lib to 1.33.0 #20100

merged 2 commits into from
Mar 8, 2024

Conversation

tgross
Copy link
Member

@tgross tgross commented Mar 8, 2024
edited
Loading

Although Nomad is not vulnerable to CVE-2024-24786 because it's configured to discard unknown messages during unmarshaling, we should upgrade so that third-party vulnerability scanners don't detect the vulnerable version and complain.

I've also updated the changelog for our Go 1.22.1 update to include references to the CVEs it fixes for us.

@tgross
deps: upgrade protobuf lib to 1.33.0
78cb0e9 
Although Nomad is not vulnerable to CVE-2024-24786 because it's configured to
discard unknown messages during unmarshaling, we should upgrade so that
third-party vulnerability scanners don't detect the vulnerable version and
complain.
@tgross tgross added backport/1.5.x backport to 1.5.x release line backport/1.6.x backport to 1.6.x release line backport/1.7.x backport to 1.7.x release line theme/dependencies Pull requests that update a dependency file theme/security labels Mar 8, 2024
@tgross tgross added this to the 1.7.x milestone Mar 8, 2024
@tgross tgross merged commit ac36652 into main Mar 8, 2024
28 of 29 checks passed
@tgross tgross deleted the deps-protobuf branch March 8, 2024 15:55
This was referenced Mar 8, 2024
Merged
Merged
Merged
tgross added a commit that referenced this pull request Mar 8, 2024
@tgross
deps: upgrade protobuf lib to 1.33.0 (#20100)
806921d 
Although Nomad is not vulnerable to CVE-2024-24786 because it's configured to
discard unknown messages during unmarshaling, we should upgrade so that
third-party vulnerability scanners don't detect the vulnerable version and
complain.

Also update go1.22.1 changelog entry to include CVEs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dduzgun-security dduzgun-security dduzgun-security approved these changes

@shoenig shoenig Awaiting requested review from shoenig

Assignees
No one assigned
Labels
backport/1.5.x backport to 1.5.x release line backport/1.6.x backport to 1.6.x release line backport/1.7.x backport to 1.7.x release line theme/dependencies Pull requests that update a dependency file theme/security
Projects
None yet
Milestone
1.7.x
Development

Successfully merging this pull request may close these issues.
2 participants
@tgross @dduzgun-security