Skip to content

vendor: github.com/golang/protobuf v1.5.4#9967

Merged
dmcgowan merged 1 commit intocontainerd:mainfrom
thaJeztah:bump_protobuf
Mar 18, 2024
Merged

vendor: github.com/golang/protobuf v1.5.4#9967
dmcgowan merged 1 commit intocontainerd:mainfrom
thaJeztah:bump_protobuf

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Mar 18, 2024

commit 10c7f03 updated google.golang.org/protobuf to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the Golang security list issued a warning that the v1.33.0 update introduced a breaking change, causing compatibility with github.com/golang/protobuf to be broken;

A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
option is set (as well as when unmarshaling into any message which contains a
google.protobuf.Any). There is no UnmarshalUnknown option.

In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
introduced an incompatibility with the older github.com/golang/protobuf
module. (golang/protobuf#1596) Users of the older
module should update to github.com/golang/protobuf@v1.5.4.

Containerd itself does not appear to be using this code, but consumers may be, so update the github.com/golang/protobuf to restore compatibility.

@thaJeztah
vendor: github.com/golang/protobuf v1.5.4
45e425c 
commit 10c7f03 updated google.golang.org/protobuf
to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the
Golang security list issued a warning that the v1.33.0 update introduced a
breaking change, causing compatibility with github.com/golang/protobuf to be
broken;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

Containerd itself does not appear to be using this code, but consumers may be,
so update the github.com/golang/protobuf to restore compatibility.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added cherry-pick/1.6.x cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch labels Mar 18, 2024
@thaJeztah thaJeztah requested a review from dmcgowan March 18, 2024 17:41
@dmcgowan dmcgowan added this pull request to the merge queue Mar 18, 2024
Merged via the queue into containerd:main with commit d3a77cb Mar 18, 2024
This was referenced Mar 20, 2024
Merged
Merged
@AkihiroSuda AkihiroSuda added cherry-picked/1.6.x PR commits are cherry-picked into release/1.6 branch cherry-picked/1.7.x PR commits are cherry-picked into release/1.7 branch and removed cherry-pick/1.6.x cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch labels Apr 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmcgowan dmcgowan dmcgowan approved these changes

@estesp estesp estesp approved these changes

Assignees

No one assigned

Labels

cherry-picked/1.6.x PR commits are cherry-picked into release/1.6 branch cherry-picked/1.7.x PR commits are cherry-picked into release/1.7 branch size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@thaJeztah @dmcgowan @estesp @AkihiroSuda @k8s-ci-robot