Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the go_modules group across 1 directory with 7 updates #36

Closed
wants to merge 1 commit into from
Closed

Bump the go_modules group across 1 directory with 7 updates #36

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 14, 2024

Bumps the go_modules group with 4 updates in the /src directory: github.com/hashicorp/vault, github.com/go-jose/go-jose/v3, github.com/jackc/pgproto3/v2 and github.com/jackc/pgx/v4.

Updates github.com/hashicorp/vault from 1.15.1 to 1.15.5

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.15.5

1.15.5

January 31, 2024

SECURITY:

  • audit: Fix bug where use of 'log_raw' option could result in other devices logging raw audit data [GH-24968] [HCSEC-2024-01]

CHANGES:

  • core: Bump Go version to 1.21.5.
  • database/snowflake: Update plugin to v0.9.1 [GH-25020]
  • secrets/ad: Update plugin to v0.16.2 [GH-25058]
  • secrets/openldap: Update plugin to v0.11.3 [GH-25040]

IMPROVEMENTS:

  • command/server: display logs on startup immediately if disable-gated-logs flag is set [GH-24280]
  • core/activity: Include secret_syncs in activity log responses [GH-24710]
  • oidc/provider: Adds code_challenge_methods_supported to OpenID Connect Metadata [GH-24979]
  • storage/raft: Upgrade to bbolt 1.3.8, along with an extra patch to reduce time scanning large freelist maps. [GH-24010]
  • sys (enterprise): Adds the chroot_namespace field to this sys/internal/ui/resultant-acl endpoint, which exposes the value of the chroot namespace from the listener config.
  • ui: latest version of chrome does not automatically redirect back to the app after authentication unless triggered by the user, hence added a link to redirect back to the app. [GH-18513]

BUG FIXES:

  • audit/socket: Provide socket based audit backends with 'prefix' configuration option when supplied. [GH-25004]
  • audit: Fix bug where use of 'log_raw' option could result in other devices logging raw audit data [GH-24968]
  • auth/saml (enterprise): Fixes support for Microsoft Entra ID enterprise applications
  • core (enterprise): fix a potential deadlock if an error is received twice from underlying storage for the same key
  • core: upgrade github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 to support azure workload identities. [GH-24954]
  • helper/pkcs7: Fix slice out-of-bounds panic [GH-24891]
  • kmip (enterprise): Only return a Server Correlation Value to clients using KMIP version 1.4.
  • plugins: fix panic when registering containerized plugin with a custom runtime on a perf standby
  • ui: Allows users to dismiss the resultant-acl banner. [GH-25106]
  • ui: Correctly handle redirects from pre 1.15.0 Kv v2 edit, create, and show urls. [GH-24339]
  • ui: Fixed minor bugs with database secrets engine [GH-24947]
  • ui: Fixes input for jwks_ca_pem when configuring a JWT auth method [GH-24697]
  • ui: Fixes policy input toolbar scrolling by default [GH-23297]
  • ui: The UI can now be used to create or update database roles by operator without permission on the database connection. [GH-24660]
  • ui: fix KV v2 details view defaulting to JSON view when secret value includes { [GH-24513]
  • ui: fix incorrectly calculated capabilities on PKI issuer endpoints [GH-24686]
  • ui: fix issue where kv v2 capabilities checks were not passing in the full secret path if secret was inside a directory. [GH-24404]
  • ui: fix navigation items shown to user when chroot_namespace configured [GH-24492]

v1.15.4

1.15.4

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.15.5

January 31, 2024

SECURITY:

  • audit: Fix bug where use of 'log_raw' option could result in other devices logging raw audit data [GH-24968] [HCSEC-2024-01]

CHANGES:

  • core: Bump Go version to 1.21.5.
  • database/snowflake: Update plugin to v0.9.1 [GH-25020]
  • secrets/ad: Update plugin to v0.16.2 [GH-25058]
  • secrets/openldap: Update plugin to v0.11.3 [GH-25040]

IMPROVEMENTS:

  • command/server: display logs on startup immediately if disable-gated-logs flag is set [GH-24280]
  • core/activity: Include secret_syncs in activity log responses [GH-24710]
  • oidc/provider: Adds code_challenge_methods_supported to OpenID Connect Metadata [GH-24979]
  • storage/raft: Upgrade to bbolt 1.3.8, along with an extra patch to reduce time scanning large freelist maps. [GH-24010]
  • sys (enterprise): Adds the chroot_namespace field to this sys/internal/ui/resultant-acl endpoint, which exposes the value of the chroot namespace from the listener config.
  • ui: latest version of chrome does not automatically redirect back to the app after authentication unless triggered by the user, hence added a link to redirect back to the app. [GH-18513]

BUG FIXES:

  • audit/socket: Provide socket based audit backends with 'prefix' configuration option when supplied. [GH-25004]
  • auth/saml (enterprise): Fixes support for Microsoft Entra ID enterprise applications
  • core (enterprise): fix a potential deadlock if an error is received twice from underlying storage for the same key
  • core: upgrade github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 to support azure workload identities. [GH-24954]
  • helper/pkcs7: Fix slice out-of-bounds panic [GH-24891]
  • kmip (enterprise): Only return a Server Correlation Value to clients using KMIP version 1.4.
  • plugins: fix panic when registering containerized plugin with a custom runtime on a perf standby
  • ui: Allows users to dismiss the resultant-acl banner. [GH-25106]
  • ui: Correctly handle redirects from pre 1.15.0 Kv v2 edit, create, and show urls. [GH-24339]
  • ui: Fixed minor bugs with database secrets engine [GH-24947]
  • ui: Fixes input for jwks_ca_pem when configuring a JWT auth method [GH-24697]
  • ui: Fixes policy input toolbar scrolling by default [GH-23297]
  • ui: The UI can now be used to create or update database roles by operator without permission on the database connection. [GH-24660]
  • ui: fix KV v2 details view defaulting to JSON view when secret value includes { [GH-24513]
  • ui: fix incorrectly calculated capabilities on PKI issuer endpoints [GH-24686]
  • ui: fix issue where kv v2 capabilities checks were not passing in the full secret path if secret was inside a directory. [GH-24404]
  • ui: fix navigation items shown to user when chroot_namespace configured [GH-24492]

1.15.4

December 06, 2023

SECURITY:

... (truncated)

Commits
  • 0d8b67e backport of UI: JSON editor styling fix (#23306)
  • c395e8c backport of UI: make resultant-acl banner dismissable (#25108)
  • 4fd9977 Go update to 1.21.5 on 1.15 (#25101)
  • fab8268 Revert licese reporting 1.15 (#25087)
  • f03bb90 Update 1.15 to Go 1.21.6 (#25077)
  • 1ad6fa2 backport of commit afe599145dda0a3fa1ddce0bf2853c8d07a12bb5 (#25092)
  • 79aaafd Backport of UI: Database fixes (#24947) into release/1.15 (#25042)
  • 970bc26 bump github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 version t...
  • 72c0fa3 Backport of Update vault-plugin-secrets-ad to v0.16.2 into release/1.15.x (#2...
  • 400b3b3 backport of commit 49a59bda5ebdc8beb0a85af25c7be46b270ad4fe (#25072)
  • Additional commits viewable in compare view

Updates github.com/cloudflare/circl from 1.3.3 to 1.3.7

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.3.7

What's Changed

New Contributors

Full Changelog: cloudflare/circl@v1.3.6...v1.3.7

CIRCL v1.3.6

What's Changed

New Contributors

Full Changelog: cloudflare/circl@v1.3.3...v1.3.6

Commits
  • c48866b Releasing CIRCL v1.3.7
  • 75ef91e kyber: remove division by q in ciphertext compression
  • 899732a build(deps): bump golang.org/x/crypto
  • 99f0f71 Releasing CIRCL v1.3.6
  • e728d0d Apply thibmeu code review suggestions
  • ceb2d90 Updating blindrsa to be compliant with RFC9474.
  • 44133f7 spelling: tripped
  • c2076d6 spelling: transposes
  • dad2166 spelling: title
  • 171c418 spelling: threshold
  • Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3

Release notes

Sourced from github.com/go-jose/go-jose/v3's releases.

Version 3.0.3

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

Version 3.0.2

Fixed

  • DecryptMulti: handle decompression error (#19)

Changed

  • jwe/CompactSerialize: improve performance (#67)
  • Increase the default number of PBKDF2 iterations to 600k (#48)
  • Return the proper algorithm for ECDSA keys (#45)
  • Update golang.org/x/crypto to v0.19 (#94)

Added

  • Add Thumbprint support for opaque signers (#38)
Changelog

Sourced from github.com/go-jose/go-jose/v3's changelog.

v3.0.3

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

v3.0.2

Fixed

  • DecryptMulti: handle decompression error (#19)

Changed

  • jwe/CompactSerialize: improve performance (#67)
  • Increase the default number of PBKDF2 iterations to 600k (#48)
  • Return the proper algorithm for ECDSA keys (#45)

Added

  • Add Thumbprint support for opaque signers (#38)
Commits
  • add6a28 v3: backport decompression limit fix (#107)
  • 11bb4e7 doc: in v3 branch's README, point to v4 as latest (#101)
  • 863f73b v3.0.2: Update changelog (#95)
  • bdbc794 Update golang.org/x/crypto to v0.19 (backport) (#94)
  • 25bce79 Updated go-jose v3.0.0 to v3.0.1 in jose-util (#70)
  • aa386df jwe/CompactSerialize: improve performance. (#67)
  • 053c9bf DecryptMulti: handle decompression error (#19)
  • ca9011b Bump go version to 1.21.4 to satisfy govulncheck (#68)
  • c8399df Revert pull request #10 (multiple audiences) (#24)
  • ec819e9 Add a security.md doc for contacting us about potential security vulnerabilit...
  • Additional commits viewable in compare view

Updates github.com/jackc/pgproto3/v2 from 2.3.2 to 2.3.3

Commits

Updates github.com/jackc/pgx/v4 from 4.18.1 to 4.18.2

Changelog

Sourced from github.com/jackc/pgx/v4's changelog.

4.18.2 (March 4, 2024)

Fix CVE-2024-27289

SQL injection can occur when all of the following conditions are met:

  1. The non-default simple protocol is used.
  2. A placeholder for a numeric value must be immediately preceded by a minus.
  3. There must be a second placeholder for a string value after the first placeholder; both must be on the same line.
  4. Both parameter values must be user-controlled.

Thanks to Paul Gerste for reporting this issue.

Fix CVE-2024-27304

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Thanks to Paul Gerste for reporting this issue.

  • Fix *dbTx.Exec not checking if it is already closed
Commits
  • 14690df Update changelog
  • 779548e Update required Go version to 1.17
  • 80e9662 Update github.com/jackc/pgconn to v1.14.3
  • 0bf9ac3 Fix erroneous test case
  • f94eb0e Always wrap arguments in parentheses in the SQL sanitizer
  • 826a892 Fix SQL injection via line comment creation in simple protocol
  • 7d882f9 Fix *dbTx.Exec not checking if it is already closed
  • 1d07b8b go mod tidy
  • See full diff in compare view

Updates golang.org/x/crypto from 0.14.0 to 0.20.0

Commits
  • 0aab8d0 all: update go.mod x/net dependency
  • 5bead59 ocsp: don't use iota for externally defined constants
  • 1a86580 x/crypto/internal/poly1305: improve sum_ppc64le.s
  • 1c981e6 ssh/test: don't use DSA keys in integrations tests, update test RSA key
  • 62c9f17 x509roots/nss: manually exclude a confusingly constrained root
  • 405cb3b go.mod: update golang.org/x dependencies
  • 913d3ae x509roots/fallback: update bundle
  • dbb6ec1 ssh/test: skip tests on darwin that fail on the darwin-amd64-longtest LUCI bu...
  • 403f699 ssh/test: avoid leaking a net.UnixConn in server.TryDialWithAddr
  • 055043d go.mod: update golang.org/x dependencies
  • Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.31.0 to 1.32.0

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the go_modules group across 1 directory with 7 updates
b272a5f 
Bumps the go_modules group with 4 updates in the /src directory: [github.com/hashicorp/vault](https://github.com/hashicorp/vault), [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose), [github.com/jackc/pgproto3/v2](https://github.com/jackc/pgproto3) and [github.com/jackc/pgx/v4](https://github.com/jackc/pgx).


Updates `github.com/hashicorp/vault` from 1.15.1 to 1.15.5
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](hashicorp/vault@v1.15.1...v1.15.5)

Updates `github.com/cloudflare/circl` from 1.3.3 to 1.3.7
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](cloudflare/circl@v1.3.3...v1.3.7)

Updates `github.com/go-jose/go-jose/v3` from 3.0.1 to 3.0.3
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/v3.0.3/CHANGELOG.md)
- [Commits](go-jose/go-jose@v3.0.1...v3.0.3)

Updates `github.com/jackc/pgproto3/v2` from 2.3.2 to 2.3.3
- [Commits](jackc/pgproto3@v2.3.2...v2.3.3)

Updates `github.com/jackc/pgx/v4` from 4.18.1 to 4.18.2
- [Changelog](https://github.com/jackc/pgx/blob/v4.18.2/CHANGELOG.md)
- [Commits](jackc/pgx@v4.18.1...v4.18.2)

Updates `golang.org/x/crypto` from 0.14.0 to 0.20.0
- [Commits](golang/crypto@v0.14.0...v0.20.0)

Updates `google.golang.org/protobuf` from 1.31.0 to 1.32.0

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault
  dependency-type: direct:production
  dependency-group: go_modules-security-group
- dependency-name: github.com/cloudflare/circl
  dependency-type: indirect
  dependency-group: go_modules-security-group
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: indirect
  dependency-group: go_modules-security-group
- dependency-name: github.com/jackc/pgproto3/v2
  dependency-type: indirect
  dependency-group: go_modules-security-group
- dependency-name: github.com/jackc/pgx/v4
  dependency-type: indirect
  dependency-group: go_modules-security-group
- dependency-name: golang.org/x/crypto
  dependency-type: indirect
  dependency-group: go_modules-security-group
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
  dependency-group: go_modules-security-group
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Mar 14, 2024
@dependabot dependabot bot mentioned this pull request Mar 14, 2024
Closed
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 20, 2024

Superseded by #37.

@dependabot dependabot bot closed this Mar 20, 2024
@dependabot dependabot bot deleted the dependabot/go_modules/src/go_modules-security-group-3440284fd7 branch March 20, 2024 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants