functions-framework-go icon indicating copy to clipboard operation
functions-framework-go copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

chore(deps): update module github.com/cloudevents/sdk-go/v2 to v2.15.2 [security]

Open renovate-bot opened this issue 1 year ago • 0 comments

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/cloudevents/sdk-go/v2 v2.14.0 -> v2.15.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-28110

Impact

What kind of vulnerability is it? Who is impacted? Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.

The relevant code is here (also inline, emphasis added):

if p.Client == nil {
  p.Client = **http.DefaultClient**
}

if p.roundTripper != nil {
  p.Client.**Transport = p.roundTripper**
}

When the transport is populated with an authenticated transport such as:

... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact!

Found and patched by: @​tcnghia and @​mattmoor

Patches

v.2.15.2

Release Notes

cloudevents/sdk-go (github.com/cloudevents/sdk-go/v2)

v2.15.2

Compare Source

What's Changed

  • Patch for a potential security issue. See CVE-2024-28110.
  • Note: this could be a breaking change for people if they purposely change golang's HTTP DefaultClient, or change the CloudEvents Client returned from NewClient, and expect those changes to be visible on other HTTP flows using those Clients. E.g. auth

Full Changelog: https://github.com/cloudevents/sdk-go/compare/v2.15.1...v2.15.2

v2.15.1

Compare Source

What's Changed
New Contributors

Full Changelog: https://github.com/cloudevents/sdk-go/compare/v2.15.0...v2.15.1

v2.15.0

Compare Source

Highlights 💫

This release includes various updates and improvements such as README enhancements, dependency bumps, bug fixes, race condition resolutions, and protocol-related adjustments. Notable changes involve upgrading dependencies like grpc and go.opentelemetry, addressing race conditions, fixing Kafka test issues, and introducing new features like binary content mode for NATS and JetStream protocols. Additionally, there are governance documentation updates, link corrections, and improvements in error handling and documentation across different modules.

Breaking 🚨

The Kafka Sarama protocol now uses the "github.com/IBM/sarama" Go module import path.

Commits 📄

896e1d0 Update README.md 75ec0f2 Bump actions/setup-go from 4 to 5 41e80f7 fixed couple issues 9ccd339 bugfix_value_type_of_dataschema c8cbca9 adds unique package name for import f1bca09 relative .pb.go generation, go_package set to package name c20eef2 bump the pahao mqtt to v0.12 ed7be6b Add WithCustomAttributes for PubSub be31358 returning the error when doing a nack in the message ecead5c Make a few comments a bit clearer 57be3cd Try to make sure the Receiver starts before we send events f5c7061 Try to fix race again - don't reuse clients for sender/receiver 8bea925 Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/http fa6be00 Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /protocol/pubsub/v2 7e05ecd Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/pubsub 13825ba Sleep less to avoid timeouts 3162d69 Bump github.com/nats-io/nats-server/v2 in /protocol/stan/v2 ec8b0f9 deps: update nats dependencies dae9f6c Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 1d6360b Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 06658a2 Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 7c1a3b1 fix race 6f5984b Move to go 1.18 Had to run gofmt and fix some weird typos due to tabs in the comments 0a006bb Fix race condition in kafka tests 510b002 issue 814 - Add binary content mode for NATS and JetStream protocols ac3d30c add link to our security mailing list 9405398 Bump golang.org/x/net in /observability/opencensus/v2 3cbfae0 Bump golang.org/x/net from 0.9.0 to 0.17.0 in /protocol/pubsub/v2 65eb52e Bump golang.org/x/net from 0.12.0 to 0.17.0 in /protocol/kafka_sarama/v2 d25d6e4 Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/pubsub e4653a8 Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/conformance 6ed9f79 Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/http 6a3393c Bump golang.org/x/net from 0.7.0 to 0.17.0 in /test/benchmark 806ef35 Bump golang.org/x/net from 0.12.0 to 0.17.0 in /samples/kafka de13f1b Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/integration 3eefeb1 Governance docs per CE PR 1226 1bcaa28 Update links to cloudevents spec 6aa2742 context.Done() may never reach if waiting on r.incoming <- msgErr 4bcddda move it to write message d06aea7 clean the the previous properties 0cc4fba Bump actions/checkout from 3 to 4 f1c0d0a change denpendency sarama from Shopify to IBM f84be73 Updated based on feedback 310da90 Support ACK when receiving malformed events 808bf38 provide the qos and retain configuration for mqtt protocol e085f1a correct the doc links 766b88e remove the usage of deprecated io/ioutil package e15d03d add assertion helper for extension keys (#​920) c1482af append mqtt to the doc of protocol binding (#​919) ff22db5 Bump andstor/file-existence-action from 1 to 2 (#​917) bf156f1 call finish on unused messages; tidy retry logic fdcb2d2 mqtt protocol binding (#​910) f681ac6 Bump grpc dependencies and workflow versions (#​914) c684ae9 vote to add embano1 as a maintainer 50b18a0 Bump golang.org/x/crypto in /samples/http (#​902) 5232986 http: Fixes for Gin http receiver sample (#​905) 9970acc Added a Gin http receiver sample (#​842) b7a65db add kafka topic/partition/offset to the extension of event (#​896) bc9170f Short-circuit AND expressions (#​899) eae656f Bump nokogiri from 1.14.2 to 1.14.3 in /docs (#​891) ff0a142 fix: Fixing syntax errors and add some test feedback (#​892) 55e5dba Update RELEASING to be more explicit

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate-bot avatar Mar 06 '24 20:03 renovate-bot