chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (!265) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake

Renovate Bot requested to merge renovate/go-google.golang.org/protobuf-vulnerability into main Mar 06, 2024

This MR contains the following updates:

Package	Type	Update	Change
google.golang.org/protobuf	require	minor	`v1.32.0` -> `v1.33.0`

Infinite loop in JSON unmarshaling in google.golang.org/protobuf

CVE-2024-24786 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

Unknown

References

https://go.dev/cl/569356

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf)

`v1.33.0`

Compare Source

This release contains one security fix:

encoding/protojson: Unmarshal could enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. Unmarshal now correctly returns an error when handling these inputs. This is CVE-2024-24786.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

chore(deps): update module google.golang.org/protobuf to v1.33.0 [security]