This repository was archived by the owner on Nov 17, 2024. It is now read-only.
chore(deps): update dependency protobuf to v3.18.3 [security] #182
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
eb24582 to
d32dff5
Compare
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
d32dff5 to
f9a74aa
Compare
renovate
bot
changed the title
|
|
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
f9a74aa to
003680b
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
003680b to
e52627c
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
e52627c to
dd3b6d1
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
dd3b6d1 to
3b92593
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
3b92593 to
b590020
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
b590020 to
069c4ee
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
069c4ee to
86b9d27
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
86b9d27 to
bc27efa
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
bc27efa to
ce1d755
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
ce1d755 to
898d8e6
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
898d8e6 to
52edf63
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
52edf63 to
98065d5
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
f3b052e to
aaa4ba1
Compare
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
aaa4ba1 to
5c69d90
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
5c69d90 to
0ab735d
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
0ab735d to
da82824
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
da82824 to
717b6b8
Compare
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
717b6b8 to
302507d
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
302507d to
b2757fe
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
b2757fe to
7653398
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
7653398 to
b791a2b
Compare
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
b791a2b to
37cb6bf
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
37cb6bf to
f9c0c24
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
f9c0c24 to
2f7301c
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
2f7301c to
37e083f
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
37e083f to
d94bde0
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-protobuf-vulnerability
branch
from
d94bde0 to
fb2931e
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.14.0->==3.18.3GitHub Vulnerability Alerts
CVE-2021-22570
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
CVE-2022-1941
Summary
A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.
Reporter: ClusterFuzz
Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.
Severity & Impact
As scored by google
Medium 5.7 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Asscored byt NIST
High 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.
Proof of Concept
For reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.
Mitigation / Patching
Please update to the latest available versions of the following packages:
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.