-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/1.7 backport] vendor: google.golang.org/protobuf 1.33.0, github.com/golang/protobuf v1.5.4 #9975
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 7fe038e) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 10c7f03) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
commit 10c7f03 updated google.golang.org/protobuf to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the Golang security list issued a warning that the v1.33.0 update introduced a breaking change, causing compatibility with github.com/golang/protobuf to be broken; > A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown > option is set (as well as when unmarshaling into any message which contains a > google.protobuf.Any). There is no UnmarshalUnknown option. > > In addition, version 1.33.0 of google.golang.org/protobuf inadvertently > introduced an incompatibility with the older github.com/golang/protobuf > module. (golang/protobuf#1596) Users of the older > module should update to github.com/golang/protobuf@v1.5.4. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 45e425c) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
austinvazquez
approved these changes
Mar 22, 2024
kzys
approved these changes
Mar 22, 2024
dmcgowan
approved these changes
Mar 22, 2024
Mengkzhaoyun
pushed a commit
to open-beagle/containerd
that referenced
this pull request
Apr 26, 2024
containerd 1.7.15 Welcome to the v1.7.15 release of containerd! The fifteenth patch release for containerd 1.7 contains various fixes; one for a regression introduced in v1.7.14 in the way process exits were handled. * Adds mediatype to OCI index record on export ([#9990](containerd/containerd#9990)) * Fix runc shim to only defer init process exits ([#10037](containerd/containerd#10037)) Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. * Derek McGowan * Phil Estes * Austin Vazquez * Laura Brehm * Sebastiaan van Stijn * Talon <details><summary>12 commits</summary> <p> * Prepare for v1.7.15 release ([#10039](containerd/containerd#10039)) * [`4d4759b54`](containerd/containerd@4d4759b) Prep v1.7.15 release * Fix runc shim to only defer init process exits ([#10037](containerd/containerd#10037)) * [`21df46766`](containerd/containerd@21df467) runc-shim: only defer init process exits * Fix compile from version control system (source) use case ([#10012](containerd/containerd#10012)) * [`2a054213e`](containerd/containerd@2a05421) Fix compile from version control system (source) use case * Adds mediatype to OCI index record on export ([#9990](containerd/containerd#9990)) * [`6605c47a4`](containerd/containerd@6605c47) adds mediatype to oci index record * vendor: google.golang.org/protobuf 1.33.0, github.com/golang/protobuf v1.5.4 ([#9975](containerd/containerd#9975)) * [`e6d91d843`](containerd/containerd@e6d91d8) vendor: github.com/golang/protobuf v1.5.4 * [`2d136c5f5`](containerd/containerd@2d136c5) build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 * [`a1a7af7a3`](containerd/containerd@a1a7af7) build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 </p> </details> * **github.com/golang/protobuf** v1.5.3 -> v1.5.4 * **google.golang.org/protobuf** v1.31.0 -> v1.33.0 Previous release can be found at [v1.7.14](https://github.com/containerd/containerd/releases/tag/v1.7.14)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
backport of:
Updating the version to verify compatibility, and to prevent possible incompatiblities if consumers of containerd have to update these, but containerd itself is still on an older version (moby/buildkit#4773 (comment)).
These updates keep the scanners at bay for CVE-2024-24786 / GO-2024-2611, although containerd itself is not affected;