dancefinder/dancefetcher
5
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Activity

Chore(deps): [security] bump golang.org/x/text from 0.3.2 to 0.3.8 #37

Merged
argoyle merged 1 commits from dependabot-go_modules-golang.org-x-text-0.3.8 into master 2023-05-23 17:38:35 +00:00
Conversation 0 Commits 1 Files Changed 2
+3 -2
argoyle commented 2023-05-23 17:35:14 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps golang.org/x/text from 0.3.2 to 0.3.8. This update includes security fixes.

Vulnerabilities fixed

Denial of service in golang.org/x/text/language The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.

Patched versions: 0.3.8 Affected versions: < 0.3.8

golang.org/x/text/language Out-of-bounds Read vulnerability golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

Patched versions: 0.3.7 Affected versions: < 0.3.7

Commits
  • 434eadc language: reject excessively large Accept-Language strings
  • 23407e7 go.mod: ignore cyclic dependency for tagging
  • b18d3dd secure/precis: replace bytes.Compare with bytes.Equal
  • 795e854 all: replace io/ioutil with io and os package
  • b0ca10f internal/language: bump script types to uint16 and update registry
  • ba9b0e1 go.mod: update x/tools to HEAD
  • d03b418 A+C: delete AUTHORS and CONTRIBUTORS
  • b4bca84 language/display: fix Tag method comment
  • ea49e3e go.mod: update x/tools to HEAD
  • 78819d0 go.mod: update to golang.org/x/text v0.1.10
  • Additional commits viewable in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR. Deprecated, use GitLab's native /rebase instead
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.3.2 to 0.3.8. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Denial of service in golang.org/x/text/language</strong> The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.</p> <p>Patched versions: 0.3.8 Affected versions: &lt; 0.3.8</p> </blockquote> <blockquote> <p><strong>golang.org/x/text/language Out-of-bounds Read vulnerability</strong> golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.</p> <p>Patched versions: 0.3.7 Affected versions: &lt; 0.3.7</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c"><code>434eadc</code></a> language: reject excessively large Accept-Language strings</li> <li><a href="https://github.com/golang/text/commit/23407e72ed5b895a2dfd230aec777f4fbe026d6a"><code>23407e7</code></a> go.mod: ignore cyclic dependency for tagging</li> <li><a href="https://github.com/golang/text/commit/b18d3dd8a4b426ebedcf279b593e85ac4985b9d3"><code>b18d3dd</code></a> secure/precis: replace bytes.Compare with bytes.Equal</li> <li><a href="https://github.com/golang/text/commit/795e854ff348c9cac4fd0033ce04c417705dd0bb"><code>795e854</code></a> all: replace io/ioutil with io and os package</li> <li><a href="https://github.com/golang/text/commit/b0ca10ff35f1325c7d0ac7830fe3f036bd72d8f9"><code>b0ca10f</code></a> internal/language: bump script types to uint16 and update registry</li> <li><a href="https://github.com/golang/text/commit/ba9b0e1d4b03523c708709935fbc961124b6967b"><code>ba9b0e1</code></a> go.mod: update x/tools to HEAD</li> <li><a href="https://github.com/golang/text/commit/d03b41800055b01e3895b1e047af09733c93bf63"><code>d03b418</code></a> A+C: delete AUTHORS and CONTRIBUTORS</li> <li><a href="https://github.com/golang/text/commit/b4bca84b03619dba00657375259024a7f8ae6712"><code>b4bca84</code></a> language/display: fix Tag method comment</li> <li><a href="https://github.com/golang/text/commit/ea49e3e2d5b3f1518081d8bc53ffefc8bc60ecec"><code>ea49e3e</code></a> go.mod: update x/tools to HEAD</li> <li><a href="https://github.com/golang/text/commit/78819d01d041a94e055bbaa2d95e5e4d49e8f8a0"><code>78819d0</code></a> go.mod: update to golang.org/x/text v0.1.10</li> <li>Additional commits viewable in <a href="https://github.com/golang/text/compare/v0.3.2...v0.3.8">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR. Deprecated, use GitLab's native /rebase instead - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle (Migrated from gitlab.com) scheduled this pull request to auto merge when all checks succeed 2023-05-23 17:35:56 +00:00
argoyle (Migrated from gitlab.com) merged commit into master 2023-05-23 17:38:35 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
go
security
Pull requests that address a security vulnerability
 severity:moderate
No Label dependencies go security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefetcher#37
Delete Branch "dependabot-go_modules-golang.org-x-text-0.3.8"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?