Skip to content

chore: bump the go_modules group across 1 directory with 9 updates #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: bump the go_modules group across 1 directory with 9 updates #2

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Jul 9, 2024

Bumps the go_modules group with 8 updates in the / directory:

Package From To
github.com/go-jose/go-jose/v3 3.0.0 3.0.3
github.com/moby/moby 24.0.1+incompatible 24.0.9+incompatible
golang.org/x/net 0.18.0 0.23.0
google.golang.org/protobuf 1.31.0 1.33.0
github.com/cloudflare/circl 1.3.3 1.3.7
github.com/docker/docker 24.0.7+incompatible 24.0.9+incompatible
github.com/google/nftables 0.1.1-0.20230115205135-9aa6fdf5a28c 0.2.0
github.com/opencontainers/runc 1.1.5 1.1.12

Updates github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.3

Release notes

Sourced from github.com/go-jose/go-jose/v3's releases.

Version 3.0.3

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

Version 3.0.2

Fixed

  • DecryptMulti: handle decompression error (#19)

Changed

  • jwe/CompactSerialize: improve performance (#67)
  • Increase the default number of PBKDF2 iterations to 600k (#48)
  • Return the proper algorithm for ECDSA keys (#45)
  • Update golang.org/x/crypto to v0.19 (#94)

Added

  • Add Thumbprint support for opaque signers (#38)

Version 3.0.1

Fixed

Security issue: an attacker specifying a large "p2c" value can cause JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large amounts of CPU, causing a DoS. Thanks to Matt Schwager (@​mschwager) for the disclosure and to Tom Tervoort for originally publishing the category of attack. https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf

The release is tagged off the release-v3.0.1 branch to avoid mixing in some as-yet unreleased changes on the v3 branch.

Changelog

Sourced from github.com/go-jose/go-jose/v3's changelog.

v3.0.3

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

v3.0.2

Fixed

  • DecryptMulti: handle decompression error (#19)

Changed

  • jwe/CompactSerialize: improve performance (#67)
  • Increase the default number of PBKDF2 iterations to 600k (#48)
  • Return the proper algorithm for ECDSA keys (#45)

Added

  • Add Thumbprint support for opaque signers (#38)

v3.0.1

Fixed

Commits
  • add6a28 v3: backport decompression limit fix (#107)
  • 11bb4e7 doc: in v3 branch's README, point to v4 as latest (#101)
  • 863f73b v3.0.2: Update changelog (#95)
  • bdbc794 Update golang.org/x/crypto to v0.19 (backport) (#94)
  • 25bce79 Updated go-jose v3.0.0 to v3.0.1 in jose-util (#70)
  • aa386df jwe/CompactSerialize: improve performance. (#67)
  • 053c9bf DecryptMulti: handle decompression error (#19)
  • ca9011b Bump go version to 1.21.4 to satisfy govulncheck (#68)
  • c8399df Revert pull request #10 (multiple audiences) (#24)
  • ec819e9 Add a security.md doc for contacting us about potential security vulnerabilit...
  • Additional commits viewable in compare view

Updates github.com/moby/moby from 24.0.1+incompatible to 24.0.9+incompatible

Release notes

Sourced from github.com/moby/moby's releases.

v24.0.9

24.0.9

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Security

This release contains security fixes for the following CVEs affecting Docker Engine and its components.

CVE Component Fix version Severity
CVE-2024-21626 runc 1.1.12 High, CVSS 8.6
CVE-2024-24557 Docker Engine 24.0.9 Medium, CVSS 6.9

Important ⚠️

Note that this release of Docker Engine doesn't include fixes for the following known vulnerabilities in BuildKit:

To address these vulnerabilities, upgrade to Docker Engine v25.0.2.

For more information about the security issues addressed in this release, and the unaddressed vulnerabilities in BuildKit, refer to the blog post. For details about each vulnerability, see the relevant security advisory:

Packaging updates

v24.0.8

24.0.8

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Live restore: Containers with auto remove (docker run --rm) are no longer forcibly removed on engine restart. moby/moby#46857

... (truncated)

Commits
  • fca702d Merge pull request from GHSA-xw73-rw38-6vjc
  • f78a772 Merge pull request #47281 from thaJeztah/24.0_backport_bump_containerd_binary...
  • 61afffe Merge pull request #47270 from thaJeztah/24.0_backport_bump_runc_binary_1.1.12
  • b38e74c Merge pull request #47276 from thaJeztah/24.0_backport_bump_runc_1.1.12
  • dac5663 update containerd binary to v1.7.13
  • 20e1af3 vendor: github.com/opencontainers/runc v1.1.12
  • 858919d update runc binary to v1.1.12
  • 141ad39 Merge pull request #47266 from vvoland/ci-fix-makeps1-templatefail-24
  • db968c6 hack/make.ps1: Fix go list pattern
  • 61c51fb Merge pull request #47221 from vvoland/pkg-pools-close-noop-24
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.15.0 to 0.19.0

Commits
  • 405cb3b go.mod: update golang.org/x dependencies
  • 913d3ae x509roots/fallback: update bundle
  • dbb6ec1 ssh/test: skip tests on darwin that fail on the darwin-amd64-longtest LUCI bu...
  • 403f699 ssh/test: avoid leaking a net.UnixConn in server.TryDialWithAddr
  • 055043d go.mod: update golang.org/x dependencies
  • 08396bb internal/poly1305: drop Go 1.12 compatibility
  • 9d2ee97 ssh: implement strict KEX protocol changes
  • 4e5a261 ssh: close net.Conn on all NewServerConn errors
  • 152cdb1 x509roots/fallback: update bundle
  • fdfe1f8 ssh: defer channel window adjustment
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.18.0 to 0.23.0

Commits
  • c48da13 http2: fix TestServerContinuationFlood flakes
  • 762b58d http2: fix tipos in comment
  • ba87210 http2: close connections when receiving too many headers
  • ebc8168 all: fix some typos
  • 3678185 http2: make TestCanonicalHeaderCacheGrowth faster
  • 448c44f http2: remove clientTester
  • c7877ac http2: convert the remaining clientTester tests to testClientConn
  • d8870b0 http2: use synthetic time in TestIdleConnTimeout
  • d73acff http2: only set up deadline when Server.IdleTimeout is positive
  • 89f602b http2: validate client/outgoing trailers
  • Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.31.0 to 1.33.0

Updates github.com/cloudflare/circl from 1.3.3 to 1.3.7

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.3.7

What's Changed

New Contributors

Full Changelog: cloudflare/circl@v1.3.6...v1.3.7

CIRCL v1.3.6

What's Changed

New Contributors

Full Changelog: cloudflare/circl@v1.3.3...v1.3.6

Commits
  • c48866b Releasing CIRCL v1.3.7
  • 75ef91e kyber: remove division by q in ciphertext compression
  • 899732a build(deps): bump golang.org/x/crypto
  • 99f0f71 Releasing CIRCL v1.3.6
  • e728d0d Apply thibmeu code review suggestions
  • ceb2d90 Updating blindrsa to be compliant with RFC9474.
  • 44133f7 spelling: tripped
  • c2076d6 spelling: transposes
  • dad2166 spelling: title
  • 171c418 spelling: threshold
  • Additional commits viewable in compare view

Updates github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v24.0.9

24.0.9

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Security

This release contains security fixes for the following CVEs affecting Docker Engine and its components.

CVE Component Fix version Severity
CVE-2024-21626 runc 1.1.12 High, CVSS 8.6
CVE-2024-24557 Docker Engine 24.0.9 Medium, CVSS 6.9

Important ⚠️

Note that this release of Docker Engine doesn't include fixes for the following known vulnerabilities in BuildKit:

To address these vulnerabilities, upgrade to Docker Engine v25.0.2.

For more information about the security issues addressed in this release, and the unaddressed vulnerabilities in BuildKit, refer to the blog post. For details about each vulnerability, see the relevant security advisory:

Packaging updates

v24.0.8

24.0.8

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Live restore: Containers with auto remove (docker run --rm) are no longer forcibly removed on engine restart. moby/moby#46857

... (truncated)

Commits
  • fca702d Merge pull request from GHSA-xw73-rw38-6vjc
  • f78a772 Merge pull request #47281 from thaJeztah/24.0_backport_bump_containerd_binary...
  • 61afffe Merge pull request #47270 from thaJeztah/24.0_backport_bump_runc_binary_1.1.12
  • b38e74c Merge pull request #47276 from thaJeztah/24.0_backport_bump_runc_1.1.12
  • dac5663 update containerd binary to v1.7.13
  • 20e1af3 vendor: github.com/opencontainers/runc v1.1.12
  • 858919d update runc binary to v1.1.12
  • 141ad39 Merge pull request #47266 from vvoland/ci-fix-makeps1-templatefail-24
  • db968c6 hack/make.ps1: Fix go list pattern
  • 61c51fb Merge pull request #47221 from vvoland/pkg-pools-close-noop-24
  • Additional commits viewable in compare view

Updates github.com/google/nftables from 0.1.1-0.20230115205135-9aa6fdf5a28c to 0.2.0

Commits

Updates github.com/opencontainers/runc from 1.1.5 to 1.1.12

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc 1.1.12 -- "Now you're thinking with Portals™!"

This is the twelfth patch release in the 1.1.z release branch of runc. It fixes a high-severity container breakout vulnerability involving leaked file descriptors, and users are strongly encouraged to update as soon as possible.

  • Fix CVE-2024-21626, a container breakout attack that took advantage of a file descriptor that was leaked internally within runc (but never leaked to the container process).

    In addition to fixing the leak, several strict hardening measures were added to ensure that future internal leaks could not be used to break out in this manner again.

    Based on our research, while no other container runtime had a similar leak, none had any of the hardening steps we've introduced (and some runtimes would not check for any file descriptors that a calling process may have leaked to them, allowing for container breakouts due to basic user error).

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.1.12] - 2024-01-31

Now you're thinking with Portals™!

Security

  • Fix CVE-2024-21626, a container breakout attack that took advantage of a file descriptor that was leaked internally within runc (but never leaked to the container process). In addition to fixing the leak, several strict hardening measures were added to ensure that future internal leaks could not be used to break out in this manner again. Based on our research, while no other container runtime had a similar leak, none had any of the hardening steps we've introduced (and some runtimes would not check for any file descriptors that a calling process may have leaked to them, allowing for container breakouts due to basic user error).

[1.1.11] - 2024-01-01

Happy New Year!

Fixed

Changed

  • Support memory.peak and memory.swap.peak in cgroups v2. Add swapOnlyUsage in MemoryStats. This field reports swap-only usage. For cgroupv1, Usage and Failcnt are set by subtracting memory usage from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage are set. (#4000, #4010, #4131)
  • build(deps): bump github.com/cyphar/filepath-securejoin. (#4140)

[1.1.10] - 2023-10-31

Śruba, przykręcona we śnie, nie zmieni sytuacji, jaka panuje na jawie.

Added

  • Support for hugetlb.<pagesize>.rsvd limiting and accounting. Fixes the issue of postres failing when hugepage limits are set. (#3859, #4077)

Fixed

  • Fixed permissions of a newly created directories to not depend on the value of umask in tmpcopyup feature implementation. (#3991, #4060)
  • libcontainer: cgroup v1 GetStats now ignores missing kmem.limit_in_bytes (fixes the compatibility with Linux kernel 6.1+). (#4028)

... (truncated)

Commits
  • 51d5e94 VERSION: release 1.1.12
  • 2a4ed3e merge 1.1-GHSA-xr7r-f8xq-vfvv into release-1.1
  • e9665f4 init: don't special-case logrus fds
  • 683ad2f libcontainer: mark all non-stdio fds O_CLOEXEC before spawning init
  • b6633f4 cgroup: plug leaks of /sys/fs/cgroup handle
  • 284ba30 init: close internal fds before execve
  • fbe3eed setns init: do explicit lookup of execve argument early
  • 0994249 init: verify after chdir that cwd is inside the container
  • 506552a Fix File to Close
  • 099ff69 merge #4177 into opencontainers/runc:release-1.1
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore: bump the go_modules group across 1 directory with 9 updates
eb36832 
Bumps the go_modules group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) | `3.0.0` | `3.0.3` |
| [github.com/moby/moby](https://github.com/moby/moby) | `24.0.1+incompatible` | `24.0.9+incompatible` |
| [golang.org/x/net](https://github.com/golang/net) | `0.18.0` | `0.23.0` |
| google.golang.org/protobuf | `1.31.0` | `1.33.0` |
| [github.com/cloudflare/circl](https://github.com/cloudflare/circl) | `1.3.3` | `1.3.7` |
| [github.com/docker/docker](https://github.com/docker/docker) | `24.0.7+incompatible` | `24.0.9+incompatible` |
| [github.com/google/nftables](https://github.com/google/nftables) | `0.1.1-0.20230115205135-9aa6fdf5a28c` | `0.2.0` |
| [github.com/opencontainers/runc](https://github.com/opencontainers/runc) | `1.1.5` | `1.1.12` |



Updates `github.com/go-jose/go-jose/v3` from 3.0.0 to 3.0.3
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/v3.0.3/CHANGELOG.md)
- [Commits](go-jose/go-jose@v3.0.0...v3.0.3)

Updates `github.com/moby/moby` from 24.0.1+incompatible to 24.0.9+incompatible
- [Release notes](https://github.com/moby/moby/releases)
- [Commits](moby/moby@v24.0.1...v24.0.9)

Updates `golang.org/x/crypto` from 0.15.0 to 0.19.0
- [Commits](golang/crypto@v0.15.0...v0.19.0)

Updates `golang.org/x/net` from 0.18.0 to 0.23.0
- [Commits](golang/net@v0.18.0...v0.23.0)

Updates `google.golang.org/protobuf` from 1.31.0 to 1.33.0

Updates `github.com/cloudflare/circl` from 1.3.3 to 1.3.7
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](cloudflare/circl@v1.3.3...v1.3.7)

Updates `github.com/docker/docker` from 24.0.7+incompatible to 24.0.9+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v24.0.7...v24.0.9)

Updates `github.com/google/nftables` from 0.1.1-0.20230115205135-9aa6fdf5a28c to 0.2.0
- [Commits](https://github.com/google/nftables/commits/v0.2.0)

Updates `github.com/opencontainers/runc` from 1.1.5 to 1.1.12
- [Release notes](https://github.com/opencontainers/runc/releases)
- [Changelog](https://github.com/opencontainers/runc/blob/main/CHANGELOG.md)
- [Commits](opencontainers/runc@v1.1.5...v1.1.12)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/moby/moby
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/cloudflare/circl
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/docker/docker
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/google/nftables
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/opencontainers/runc
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 9, 2024
@dependabot dependabot bot mentioned this pull request Jul 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant