Skip to content

Update github.com/gogo/protobuf (CVE-2021-3121)#1066

Closed
imander wants to merge 1 commit intospf13:masterfrom
imander:CVE-2021-3121
Closed

Update github.com/gogo/protobuf (CVE-2021-3121)#1066
imander wants to merge 1 commit intospf13:masterfrom
imander:CVE-2021-3121

Conversation

@imander
Copy link

@imander imander commented Jan 19, 2021

Update github.com/gogo/protobuf to v1.3.2 in response to CVE-2021-3121

@CLAassistant
Copy link

CLAassistant commented Jan 19, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions
Copy link

github-actions bot commented Jan 19, 2021

👋 Thanks for contributing to Viper! You are awesome! 🎉

A maintainer will take a look at your pull request shortly. 👀

In the meantime: We are working on Viper v2 and we would love to hear your thoughts about what you like or don't like about Viper, so we can improve or fix those issues.

⏰ If you have a couple minutes, please take some time and share your thoughts: https://forms.gle/R6faU74qPRPAzchZ9

📣 If you've already given us your feedback, you can still help by spreading the news,
either by sharing the above link or telling people about this on Twitter:

https://twitter.com/sagikazarmark/status/1306904078967074816

Thank you! ❤️

@imander imander force-pushed the CVE-2021-3121 branch 3 times, most recently from f04f0c5 to 90ed4cf Compare January 19, 2021 22:30
@FrancoisWagner
Copy link

FrancoisWagner commented Jan 27, 2021

I am also eager to have this fix in 👍

@sagikazarmark sagikazarmark self-assigned this Feb 2, 2021
@sagikazarmark sagikazarmark self-requested a review February 2, 2021 02:13
@AriehSchneier
Copy link

AriehSchneier commented Feb 19, 2021
edited
Loading

You will also need to upgrade github.com/prometheus/client_golang as the current dependency version is also using a bad version of protobuf

@Nivl Nivl mentioned this pull request Mar 27, 2021
Merged
alovak added a commit to moov-io/infra that referenced this pull request Mar 29, 2021
@alovak
Update lint-project.sh
4877482 
Our CI fails because of [CVE-2021-3121] in gogo/protobuf, which is a dependency in Viper -> Prometheus common -> Go Kit -> ...

There is a 3 month old PR in viper: spf13/viper#1066

Viper is used to read configs, maybe it's safe to ignore it.
@alovak alovak mentioned this pull request Mar 29, 2021
Closed
@adamdecaf
Copy link

adamdecaf commented Mar 29, 2021

Is there an update on getting this merged? Maybe @sagikazarmark can help as he is the latest committer.

I can open a new PR that is good to merge if needed.

@bhamail bhamail mentioned this pull request Mar 29, 2021
Open
@samaras3
Copy link

samaras3 commented Apr 15, 2021

Hey guys, is there any update on this? Would love to see this merged.

@sagikazarmark sagikazarmark mentioned this pull request Apr 15, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sagikazarmark sagikazarmark Awaiting requested review from sagikazarmark

1 more reviewer

@bogdandrutu bogdandrutu bogdandrutu approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@sagikazarmark sagikazarmark

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@imander @CLAassistant @FrancoisWagner @AriehSchneier @adamdecaf @samaras3 @bogdandrutu @sagikazarmark