From 4ab981b1bf0288299a796fcd33601b40127a177c Mon Sep 17 00:00:00 2001 From: "Alessandro (Ale) Segala" <43508+ItalyPaleAle@users.noreply.github.com> Date: Mon, 17 Jul 2023 11:30:02 -0700 Subject: [PATCH] [release-1.10] Upgrade Avro dependency (#6686) Fixes CVE-2023-37475 Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com> --- docs/release_notes/v1.10.9.md | 25 +++++++++++++++++++++++++ go.mod | 4 ++-- go.sum | 9 ++++----- 3 files changed, 31 insertions(+), 7 deletions(-) create mode 100644 docs/release_notes/v1.10.9.md diff --git a/docs/release_notes/v1.10.9.md b/docs/release_notes/v1.10.9.md new file mode 100644 index 00000000..63c8df4b --- /dev/null +++ b/docs/release_notes/v1.10.9.md @@ -0,0 +1,25 @@ +# Dapr 1.10.9 [security] + +This update contains security fixes: + + - [Security: Potential DoS in avro dependency (CVE-2023-37475)](#security-potential-dos-in-avro-dependency-cve-2023-37475) + +## Security: Potential DoS in avro dependency (CVE-2023-37475) + +### Problem + +[CVE-2023-37475](https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45) + +An issue in the third-party avro dependency could cause a resource exhaustion and a DoS for Dapr. + +### Impact + +This issue impacts users of Dapr that use the Pulsar components. + +### Root cause + +The issue was in a third-party dependency. + +### Solution + +We have upgraded the avro dependency to version 2.13.0 which contains a fix for the reported issue. diff --git a/go.mod b/go.mod index 6de0dcb3..bf3d7023 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/PaesslerAG/jsonpath v0.1.1 github.com/PuerkitoBio/purell v1.2.0 github.com/cenkalti/backoff/v4 v4.2.0 - github.com/dapr/components-contrib v1.10.9 + github.com/dapr/components-contrib v1.10.10 github.com/dapr/kit v0.0.5-0.20230307192505-b5bafe889a81 github.com/fasthttp/router v1.4.15 github.com/ghodss/yaml v1.0.0 @@ -234,7 +234,7 @@ require ( github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect - github.com/hamba/avro/v2 v2.4.0 // indirect + github.com/hamba/avro/v2 v2.13.0 // indirect github.com/hashicorp/consul/api v1.13.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect diff --git a/go.sum b/go.sum index 6550c48c..177bbb31 100644 --- a/go.sum +++ b/go.sum @@ -716,8 +716,8 @@ github.com/dancannon/gorethink v4.0.0+incompatible h1:KFV7Gha3AuqT+gr0B/eKvGhbjm github.com/dancannon/gorethink v4.0.0+incompatible/go.mod h1:BLvkat9KmZc1efyYwhz3WnybhRZtgF1K929FD8z1avU= github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0= github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0= -github.com/dapr/components-contrib v1.10.9 h1:GnLDL56qzHRI3cIjNMCtCtvoL8eu5uZKLq9shwozV84= -github.com/dapr/components-contrib v1.10.9/go.mod h1:Mc9IPIR2uYwt0Uhc+ejv7EAWgyRnSPg3+t75WT6x+a0= +github.com/dapr/components-contrib v1.10.10 h1:EyuWSjRJn32D/j0rhEKZSsx03xWa71Z2s5NexgHlhhg= +github.com/dapr/components-contrib v1.10.10/go.mod h1:NyW48SBoDelcFfHpKdH1ZJgnJTWO3VG3c2eRRKri7q0= github.com/dapr/kit v0.0.5-0.20230307192505-b5bafe889a81 h1:8vCcvFXpCH4xvbG4JuG0g9bFk0T3cgY0infitTxG7oA= github.com/dapr/kit v0.0.5-0.20230307192505-b5bafe889a81/go.mod h1:JXPc/7O0s0ieBe+GpOUuYiyxRcgip1MQwSwCmQPYSVE= github.com/dave/jennifer v1.4.0/go.mod h1:fIb+770HOpJ2fmN9EPPKOqm1vMGhB+TwXKMZhrIygKg= @@ -802,7 +802,6 @@ github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go. github.com/envoyproxy/go-control-plane v0.10.0/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY= github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= @@ -1123,8 +1122,8 @@ github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8 github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0= github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8= github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4= -github.com/hamba/avro/v2 v2.4.0 h1:w/XucdXkKCc2Bna8Ra9MK1KubaLEOnk4vcTVfXP2AKw= -github.com/hamba/avro/v2 v2.4.0/go.mod h1:6MapKiXjILKSuR/z7SMwkihv2f//wahd/l2bUDHHqI4= +github.com/hamba/avro/v2 v2.13.0 h1:QY2uX2yvJTW0OoMKelGShvq4v1hqab6CxJrPwh0fnj0= +github.com/hamba/avro/v2 v2.13.0/go.mod h1:Q9YK+qxAhtVrNqOhwlZTATLgLA8qxG2vtvkhK8fJ7Jo= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= github.com/hashicorp/consul/api v1.13.0 h1:2hnLQ0GjQvw7f3O61jMO8gbasZviZTrt9R8WzgiirHc= -- GitLab