[release-1.11] Upgrade Avro dependency (#6687)

* Release notes for avro Signed-off-by: N ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com> * Upgraded components-contrib Signed-off-by: N ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com> --------- Signed-off-by: N ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

[release-1.11] Upgrade Avro dependency (#6687)
* Release notes for avro Signed-off-by: N ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com> * Upgraded components-contrib Signed-off-by: N ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com> --------- Signed-off-by: N ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
32a9ce06 · Alessandro (Ale) Segala · GitHub · 0c755e31 · 32a9ce06 · 32a9ce06
隐藏空白更改
内联并排

Showing with 32 addition and 8 deletion

docs/release_notes/v1.11.2.md docs/release_notes/v1.11.2.md +26 -2

go.mod go.mod +2 -2

go.sum go.sum +4 -4

未找到文件。
--- a/docs/release_notes/v1.11.2.md
+++ b/docs/release_notes/v1.11.2.md
-# Dapr 1.11.2
+# Dapr 1.11.2 [security]

-This patch release contains multiple bug fixes.
+This update contains security fixes:
+
+  - [Security: Potential DoS in avro dependency (CVE-2023-37475)](#security-potential-dos-in-avro-dependency-cve-2023-37475)
+
+Additionally, this patch release contains bug fixes:

  - [Fixed: unbounded history batch save in Workflows](#fixed-unbounded-history-batch-save-in-workflows)
  - [Fixed: Workflows not working in some Kubernetes clusters](#fixed-workflows-not-working-in-some-kubernetes-clusters)
  - [Fixed a number of bugs in the gRPC Configuration Subscribe API](#fixed-a-number-of-bugs-in-the-grpc-configuration-subscribe-api)

+## Security: Potential DoS in avro dependency (CVE-2023-37475)
+
+### Problem
+
+[CVE-2023-37475](https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45)
+
+An issue in the third-party avro dependency could cause a resource exhaustion and a DoS for Dapr.
+
+### Impact
+
+This issue impacts users of Dapr that use the Pulsar components.
+
+### Root cause
+
+The issue was in a third-party dependency.
+
+### Solution
+
+We have upgraded the avro dependency to version 2.13.0 which contains a fix for the reported issue.
+
 ## Fixed: unbounded history batch save in Workflows

 ### Problem

--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/PuerkitoBio/purell v1.2.0
 	github.com/argoproj/argo-rollouts v1.4.1
 	github.com/cenkalti/backoff/v4 v4.2.1
-	github.com/dapr/components-contrib v1.11.3
+	github.com/dapr/components-contrib v1.11.4
 	github.com/dapr/kit v0.11.3
 	github.com/evanphx/json-patch/v5 v5.6.0
 	github.com/fasthttp/router v1.4.18
@@ -237,7 +237,7 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
-	github.com/hamba/avro/v2 v2.5.0 // indirect
+	github.com/hamba/avro/v2 v2.13.0 // indirect
 	github.com/hashicorp/consul/api v1.13.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect

--- a/go.sum
+++ b/go.sum
@@ -398,8 +398,8 @@ github.com/dancannon/gorethink v4.0.0+incompatible h1:KFV7Gha3AuqT+gr0B/eKvGhbjm
 github.com/dancannon/gorethink v4.0.0+incompatible/go.mod h1:BLvkat9KmZc1efyYwhz3WnybhRZtgF1K929FD8z1avU=
 github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
 github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
-github.com/dapr/components-contrib v1.11.3 h1:sOuatQ900JVgMdvdLbI2OX0nBqFuUma2oFl2kk4GwJ8=
-github.com/dapr/components-contrib v1.11.3/go.mod h1:brBtlcztHQGPW9tdEt7YWysZ3kJ7fTjxAiDz/YkWb44=
+github.com/dapr/components-contrib v1.11.4 h1:gi1eetyl5hcypyHcUPL0cFRBfiJt/V1fuJGNAWbS8pU=
+github.com/dapr/components-contrib v1.11.4/go.mod h1:hTiIBTAn9cPA/HMmJo+Cg1+2A3S8q43BHugf0rFv0Sg=
 github.com/dapr/kit v0.11.3 h1:u1X92tE8xsrwXIej7nkcI5Z1t1CFznPwlL18tizNEw4=
 github.com/dapr/kit v0.11.3/go.mod h1:hQA6xOhcLAiccXTj7e3/bzpHwvAJCSCp70p2xg3jB40=
 github.com/dave/jennifer v1.4.0/go.mod h1:fIb+770HOpJ2fmN9EPPKOqm1vMGhB+TwXKMZhrIygKg=
@@ -804,8 +804,8 @@ github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8
 github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=
-github.com/hamba/avro/v2 v2.5.0 h1:g52qZq2KdQcKzMu+lwIZRHgk/BfBO0tb/X840KWGnIM=
-github.com/hamba/avro/v2 v2.5.0/go.mod h1:Q9YK+qxAhtVrNqOhwlZTATLgLA8qxG2vtvkhK8fJ7Jo=
+github.com/hamba/avro/v2 v2.13.0 h1:QY2uX2yvJTW0OoMKelGShvq4v1hqab6CxJrPwh0fnj0=
+github.com/hamba/avro/v2 v2.13.0/go.mod h1:Q9YK+qxAhtVrNqOhwlZTATLgLA8qxG2vtvkhK8fJ7Jo=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
 github.com/hashicorp/consul/api v1.13.0 h1:2hnLQ0GjQvw7f3O61jMO8gbasZviZTrt9R8WzgiirHc=