Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): [gke-optimization] Update module github.com/golang/glog to v1.2.4 [SECURITY] #149

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): [gke-optimization] Update module github.com/golang/glog to v1.2.4 [SECURITY] #149

wants to merge 1 commit into from
+1 −1

Conversation

renovate-bot
Copy link
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/golang/glog v1.1.0 -> v1.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45339

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

Release Notes

golang/glog (github.com/golang/glog)

v1.2.4

Compare Source

What's Changed

  • Fail if log file already exists by @​chressie in https://github.com/golang/glog/pull/74:
    • glog: Don't try to create/rotate a given syncBuffer twice in the same second
    • glog: introduce createInDir function as in internal version
    • glog: have createInDir fail if the file already exists

Full Changelog: golang/glog@v1.2.3...v1.2.4

v1.2.3

Compare Source

What's Changed

Full Changelog: golang/glog@v1.2.2...v1.2.3

v1.2.2

Compare Source

What's Changed

Full Changelog: golang/glog@v1.2.1...v1.2.2

v1.2.1

Compare Source

What's Changed

Full Changelog: golang/glog@v1.2.0...v1.2.1

v1.2.0

Compare Source

What's Changed

Full Changelog: golang/glog@v1.1.2...v1.2.0

v1.1.2

Compare Source

Bugfix release.

What's Changed

Full Changelog: golang/glog@v1.1.1...v1.1.2

v1.1.1

Compare Source

Bugfixes since the larger v1.1.0, which have been addressed.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@forking-renovate Forking Renovate
Copy link

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: projects/gke-optimization/binpacker/api/go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading github.com/golang/glog v1.2.4
go: downloading github.com/julienschmidt/httprouter v1.3.0
go: downloading github.com/rs/cors v1.8.3
go: downloading golang.org/x/oauth2 v0.7.0
go: downloading cloud.google.com/go/monitoring v1.13.0
go: downloading google.golang.org/api v0.114.0
go: downloading cloud.google.com/go/compute v1.19.1
go: downloading cloud.google.com/go/container v1.15.0
go: downloading k8s.io/api v0.26.1
go: downloading k8s.io/apimachinery v0.26.1
go: downloading k8s.io/client-go v0.26.1
go: downloading google.golang.org/protobuf v1.33.0
go: downloading cloud.google.com/go/compute/metadata v0.2.3
go: downloading google.golang.org/appengine v1.6.7
go: downloading github.com/googleapis/gax-go/v2 v2.7.1
go: downloading google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
go: downloading google.golang.org/grpc v1.56.3
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.1.0
go: downloading golang.org/x/net v0.23.0
go: downloading k8s.io/klog/v2 v2.80.1
go: downloading k8s.io/utils v0.0.0-20221107191617-1a15be271d1d
go: downloading github.com/imdario/mergo v0.3.6
go: downloading github.com/spf13/pflag v1.0.5
go: downloading golang.org/x/term v0.18.0
go: downloading github.com/golang/protobuf v1.5.3
go: downloading go.opencensus.io v0.24.0
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading github.com/google/gnostic v0.5.7-v3refs
go: downloading golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading github.com/go-logr/logr v1.2.3
go: downloading golang.org/x/sys v0.18.0
go: downloading github.com/google/go-cmp v0.6.0
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.2.3
go: downloading sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2
go: downloading github.com/json-iterator/go v1.1.12
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
go: downloading golang.org/x/text v0.14.0
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading github.com/emicklei/go-restful/v3 v3.9.0
go: downloading github.com/go-openapi/swag v0.19.14
go: downloading github.com/go-openapi/jsonreference v0.20.0
go: downloading github.com/mailru/easyjson v0.7.6
go: downloading github.com/go-openapi/jsonpointer v0.19.5
go: downloading github.com/josharian/intern v1.0.0
go: downloading github.com/GoogleCloudPlatform/cloud-solutions v0.0.0-20250123022754-38715e12a539
go: github.com/GoogleCloudPlatform/cloud-solutions/projects/sa-tools/gke_optimization/binpacker/api/pkg/interface/handler imports
	github.com/GoogleCloudPlatform/cloud-solutions/projects/sa-tools/gke_optimization/binpacker/api/proto: cannot find module providing package github.com/GoogleCloudPlatform/cloud-solutions/projects/sa-tools/gke_optimization/binpacker/api/proto

code-review-assist[bot]
code-review-assist bot reviewed Jan 28, 2025
View reviewed changes
Copy link

@code-review-assist code-review-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi team,

I'm currently reviewing this pull request and will provide my feedback shortly. In the meantime, here's a summary for you and other reviewers to quickly get up to speed:

This pull request, submitted by Renovate bot, updates the github.com/golang/glog dependency from version v1.1.0 to v1.2.4 in the projects/gke-optimization/binpacker/api directory. This is a security update addressing CVE-2024-45339, which allows an attacker to overwrite sensitive files if logs are written to a widely-writable directory. The update includes several bug fixes and improvements detailed in the release notes linked in the PR description. The primary change is that glog now exits with status code 2 if the log file already exists, mitigating the vulnerability.

Here's a breakdown of the changes:

  • Intent: Address a security vulnerability (CVE-2024-45339) and incorporate bug fixes in the glog library.
  • Changes: The go.mod file in projects/gke-optimization/binpacker/api has been updated to reflect the new version of github.com/golang/glog (from v1.1.0 to v1.2.4).
  • Activity: The PR was automatically generated by Renovate bot and is awaiting manual merge.

The specific changes in go.mod are:

Line Before After
9 github.com/golang/glog v1.1.0 github.com/golang/glog v1.2.4

I'll provide a more detailed review shortly.

A little haiku to brighten your day:

Code flows like a stream,
Fixes merge, a gentle hum,
Security's peace found.

code-review-assist[bot]
code-review-assist bot reviewed Jan 28, 2025
View reviewed changes
Copy link

@code-review-assist code-review-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pull request updates the github.com/golang/glog module to v1.2.4, addressing a security vulnerability (CVE-2024-45339). This is a necessary update and should be merged as soon as possible. The change is well-isolated to the go.mod file, making the review straightforward. I have reviewed the release notes and the change looks good. Since this is a security update, thorough testing is recommended after merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@code-review-assist code-review-assist[bot] code-review-assist[bot] left review comments

Assignees
No one assigned
Labels
SECURITY
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot