Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump gjson to fix two security vulnerabilities. #1220

Merged
merged 1 commit into from
Sep 7, 2021
Merged

Bump gjson to fix two security vulnerabilities. #1220

merged 1 commit into from
Sep 7, 2021

Conversation

dlorenc
Copy link
Contributor

@dlorenc dlorenc commented Sep 6, 2021

Changes

gjson v1.6.5 is vulnerable to two denial of service attacks:

These were reported in CVE-2020-36067.

Signed-off-by: Dan Lorenc lorenc.d@gmail.com

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

The github.com/tidwall/gjson dependency was bumped to resolve CVE-2020-36067.

@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Sep 6, 2021
@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Sep 6, 2021
@dlorenc
Copy link
Contributor Author

dlorenc commented Sep 6, 2021

It seems like this library was recently bumped for another CVE: #1164

@dlorenc
Bump gjson to fix two security vulnerabilities.
e2af7e7 
gjson v1.6.5 is vulnerable to two denial of service attacks:
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTIDWALLGJSON-1055822
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTIDWALLGJSON-1056415

These were reported in CVE-2020-36067.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
mattmoor
mattmoor approved these changes Sep 6, 2021
View reviewed changes
Copy link
Member

@mattmoor mattmoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 6, 2021
@savitaashture
Copy link
Contributor

It seems like this library was recently bumped for another CVE: #1164

Yes i think
/cc @dibyom

@dibyom
Copy link
Member

dibyom commented Sep 7, 2021

/approve

@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom, mattmoor

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 7, 2021
@tekton-robot tekton-robot merged commit f41ada7 into tektoncd:main Sep 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmoor mattmoor mattmoor approved these changes

@bobcatfish bobcatfish Awaiting requested review from bobcatfish

@wlynch wlynch Awaiting requested review from wlynch

@dibyom dibyom Awaiting requested review from dibyom

Assignees

@mattmoor mattmoor

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dlorenc @savitaashture @dibyom @tekton-robot @mattmoor