Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(deps): update module github.com/cloudevents/sdk-go/v2 to v2.15.2 [security] #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 7, 2025
Merged

fix(deps): update module github.com/cloudevents/sdk-go/v2 to v2.15.2 [security] #150

merged 1 commit into from
Feb 7, 2025

Conversation

renovate-bot
Copy link
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/cloudevents/sdk-go/v2 v2.0.0 -> v2.15.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-28110

Impact

What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.

The relevant code is here (also inline, emphasis added):

if p.Client == nil {
  p.Client = **http.DefaultClient**
}

if p.roundTripper != nil {
  p.Client.**Transport = p.roundTripper**
}

When the transport is populated with an authenticated transport such as:

... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!

Found and patched by: @​tcnghia and @​mattmoor

Patches

v.2.15.2

Release Notes

cloudevents/sdk-go (github.com/cloudevents/sdk-go/v2)

v2.15.2

Compare Source

What's Changed
  • Patch for a potential security issue. See CVE-2024-28110.
  • Note: this could be a breaking change for people if they purposely change golang's HTTP DefaultClient, or change the CloudEvents Client returned from NewClient, and expect those changes to be visible on other HTTP flows using those Clients. E.g. auth

Full Changelog: cloudevents/sdk-go@v2.15.1...v2.15.2

v2.15.1

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.15.0...v2.15.1

v2.15.0

Compare Source

Highlights 💫

This release includes various updates and improvements such as README enhancements, dependency bumps, bug fixes, race condition resolutions, and protocol-related adjustments. Notable changes involve upgrading dependencies like grpc and go.opentelemetry, addressing race conditions, fixing Kafka test issues, and introducing new features like binary content mode for NATS and JetStream protocols. Additionally, there are governance documentation updates, link corrections, and improvements in error handling and documentation across different modules.

Breaking 🚨

The Kafka Sarama protocol now uses the "github.com/IBM/sarama" Go module import path.

Commits 📄

896e1d0 Update README.md
75ec0f2 Bump actions/setup-go from 4 to 5
41e80f7 fixed couple issues
9ccd339 bugfix_value_type_of_dataschema
c8cbca9 adds unique package name for import
f1bca09 relative .pb.go generation, go_package set to package name
c20eef2 bump the pahao mqtt to v0.12
ed7be6b Add WithCustomAttributes for PubSub
be31358 returning the error when doing a nack in the message
ecead5c Make a few comments a bit clearer
57be3cd Try to make sure the Receiver starts before we send events
f5c7061 Try to fix race again - don't reuse clients for sender/receiver
8bea925 Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/http
fa6be00 Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /protocol/pubsub/v2
7e05ecd Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/pubsub
13825ba Sleep less to avoid timeouts
3162d69 Bump github.com/nats-io/nats-server/v2 in /protocol/stan/v2
ec8b0f9 deps: update nats dependencies
dae9f6c Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
1d6360b Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
06658a2 Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
7c1a3b1 fix race
6f5984b Move to go 1.18 Had to run gofmt and fix some weird typos due to tabs in the comments
0a006bb Fix race condition in kafka tests
510b002 issue 814 - Add binary content mode for NATS and JetStream protocols
ac3d30c add link to our security mailing list
9405398 Bump golang.org/x/net in /observability/opencensus/v2
3cbfae0 Bump golang.org/x/net from 0.9.0 to 0.17.0 in /protocol/pubsub/v2
65eb52e Bump golang.org/x/net from 0.12.0 to 0.17.0 in /protocol/kafka_sarama/v2
d25d6e4 Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/pubsub
e4653a8 Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/conformance
6ed9f79 Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/http
6a3393c Bump golang.org/x/net from 0.7.0 to 0.17.0 in /test/benchmark
806ef35 Bump golang.org/x/net from 0.12.0 to 0.17.0 in /samples/kafka
de13f1b Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/integration
3eefeb1 Governance docs per CE PR 1226
1bcaa28 Update links to cloudevents spec
6aa2742 context.Done() may never reach if waiting on r.incoming <- msgErr
4bcddda move it to write message
d06aea7 clean the the previous properties
0cc4fba Bump actions/checkout from 3 to 4
f1c0d0a change denpendency sarama from Shopify to IBM
f84be73 Updated based on feedback
310da90 Support ACK when receiving malformed events
808bf38 provide the qos and retain configuration for mqtt protocol
e085f1a correct the doc links
766b88e remove the usage of deprecated io/ioutil package
e15d03d add assertion helper for extension keys (#​920)
c1482af append mqtt to the doc of protocol binding (#​919)
ff22db5 Bump andstor/file-existence-action from 1 to 2 (#​917)
bf156f1 call finish on unused messages; tidy retry logic
fdcb2d2 mqtt protocol binding (#​910)
f681ac6 Bump grpc dependencies and workflow versions (#​914)
c684ae9 vote to add embano1 as a maintainer
50b18a0 Bump golang.org/x/crypto in /samples/http (#​902)
5232986 http: Fixes for Gin http receiver sample (#​905)
9970acc Added a Gin http receiver sample (#​842)
b7a65db add kafka topic/partition/offset to the extension of event (#​896)
bc9170f Short-circuit AND expressions (#​899)
eae656f Bump nokogiri from 1.14.2 to 1.14.3 in /docs (#​891)
ff0a142 fix: Fixing syntax errors and add some test feedback (#​892)
55e5dba Update RELEASING to be more explicit

v2.14.0

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.13.0...v2.14.0

v2.13.0

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.12.0...v2.13.0

v2.12.0

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.11.0...v2.12.0

v2.11.0: Release 2.11.0

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.10.0...v2.11.0

v2.10.1

Compare Source

What's Changed

Full Changelog: cloudevents/sdk-go@v2.10.0...v2.10.1

v2.10.0

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.9.0...v2.10.0

v2.9.0

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.8.0...v2.9.0

v2.8.0

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.7.0...v2.8.0

v2.7.0

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.6.0...v2.7.0

v2.6.1

Compare Source

v2.6.0

Compare Source

What's Changed

New Contributors

Full Changelog: cloudevents/sdk-go@v2.5.0...v2.6.0

v2.5.0

Compare Source

Core SDK

Project moved to add SPDX Authors headers using Apache 2.0. https://github.com/cloudevents/sdk-go/pull/681

HTTP

Send now returns error with the status code if not 2xx status code. https://github.com/cloudevents/sdk-go/pull/686

Bug fix: Finish() was not called in Send(), leading to http connection leaks. https://github.com/cloudevents/sdk-go/pull/689

Added an http tracing receiver sample. https://github.com/cloudevents/sdk-go/pull/696

AMQP

Bump amqp version to 13.7. https://github.com/cloudevents/sdk-go/pull/687

Protobuf Binding (NEW)

Added protobuf format support. https://github.com/cloudevents/sdk-go/pull/662 https://github.com/cloudevents/sdk-go/pull/688

  • An implementation of format.Format was added for protobuf encoding of the event envelope.
  • Also adds the ability to send and receive protobuf encoded data within the envelope.

SQL (NEW)

Added CESQL implementation. https://github.com/cloudevents/sdk-go/pull/680

NATS JetStream (NEW)

Added integration for NATS JetStream as a protocol choice. https://github.com/cloudevents/sdk-go/pull/695

Thanks to:

v2.4.1

Compare Source

General

Thanks:

v2.4.0

Compare Source

General

WARNING: We had to introduce a breaking change to importing client.EventTraceAttributes, this can now be found in a new import:

import "github.com/cloudevents/sdk-go/observability/opencensus/v2/client"

// Then use:
_ = client.EventTraceAttributes

Diff:

+       "github.com/cloudevents/sdk-go/observability/opencensus/v2/client"
-       "github.com/cloudevents/sdk-go/v2/client"
Websockets
HTTP
STAN
Kafka
AMQP

Thanks

Thank you to everyone who has used and contributed to the CloudEvents SDK for Golang, special shoutouts to:

v2.3.1

Compare Source

Correcting sub-modules to use latest release. See, https://github.com/cloudevents/sdk-go/releases/tag/v2.3.0

v2.3.0

Compare Source

General
  • Better data handling when calling binding.ToEvent @​ian-mi
  • Corrected client.Invoke error messaging format @​odacremolbap
  • Client no longer blocked on GOMAXPROC receivers @​n3wscott
  • Recover from panic in client.Invoke from handler function @​matejvasek
  • Client receiver/responder functions: Fix handler input types variance. @​matejvasek
  • StartReceiver returns if it can't start listening @​matejvasek
HTTP
  • now will retry for returned 502 status code from target @​duglin
  • new http.NewObserved adds trace propagating middleware to the created HTTP protocol and is used to add trace
    propagation to the default HTTP client. @​ian-mi
GoChan
Kafka
  • allow to construct mock sender for unit testing @​aslom
Pub/Sub
  • Copy of buffer prevented when writing to pubsub.Message @​ian-mi

v2.2.0

Compare Source

New features:

  • Kafka: Added WithMessageKey to add the key to a producer message (#​549)

Bug Fixes:

  • Client.Request was not wrapping the result result into the Receipt, fixed in #​550
  • Field errors were being skipped on event validation, fixed in #​555
  • HTTP Binary messages became invalid if a transformer deleted an extension, fixed in #​557
  • Client was checking for !IsACK for response parsing, should have been looking for IsUndelivered, fixed in #​559
  • Bumped sarama to v1.15.0 (#​548)

v2.1.0

Compare Source

API Additions:
  • IsDelivered was added to complement IsACK and IsNACK for understanding event result delivery results. (#​542)
  • More assertions and helper functions addted to ./test (#​522, #​532, #​538)
Bug Fixes:
  • HTTP standalone mode had a bug which was fixed (#​541)
  • EventReceiver now propagates request context (#​540)
  • PubSub no longer nil-pointers on missing format (#​528)

Thanks to everyone who helped make this point release possible!!

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@akerekes akerekes merged commit 0fbbc8b into GoogleCloudPlatform:main Feb 7, 2025
8 of 11 checks passed
@renovate-bot renovate-bot deleted the renovate/go-github.com-cloudevents-sdk-go-v2-vulnerability branch February 7, 2025 00:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akerekes akerekes akerekes approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@renovate-bot @akerekes