From 6282c33169c47d54f06bb5aabd556c16f50b232e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 01:06:25 +0000 Subject: mod: bump github.com/ulikunitz/xz from 0.5.11 to 0.5.12 Bumps [github.com/ulikunitz/xz](https://github.com/ulikunitz/xz) from 0.5.11 to 0.5.12. - [Commits](https://github.com/ulikunitz/xz/compare/v0.5.11...v0.5.12) --- updated-dependencies: - dependency-name: github.com/ulikunitz/xz dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- vendor/github.com/ulikunitz/xz/README.md | 11 +++++++++++ vendor/github.com/ulikunitz/xz/SECURITY.md | 13 +++++++++++-- vendor/github.com/ulikunitz/xz/TODO.md | 7 ++++++- vendor/modules.txt | 2 +- 6 files changed, 32 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index bae7dd243..4120caec3 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/prometheus/client_golang v1.19.0 github.com/sergi/go-diff v1.3.1 github.com/stretchr/testify v1.9.0 - github.com/ulikunitz/xz v0.5.11 + github.com/ulikunitz/xz v0.5.12 golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc golang.org/x/oauth2 v0.18.0 golang.org/x/perf v0.0.0-20230221235046-aebcfb61e84c diff --git a/go.sum b/go.sum index c82cc2786..3dbf91589 100644 --- a/go.sum +++ b/go.sum @@ -628,8 +628,8 @@ github.com/tomarrell/wrapcheck/v2 v2.8.3 h1:5ov+Cbhlgi7s/a42BprYoxsr73CbdMUTzE3b github.com/tomarrell/wrapcheck/v2 v2.8.3/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo= github.com/tommy-muehle/go-mnd/v2 v2.5.1 h1:NowYhSdyE/1zwK9QCLeRb6USWdoif80Ie+v+yU8u1Zw= github.com/tommy-muehle/go-mnd/v2 v2.5.1/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= -github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= -github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc= +github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/vendor/github.com/ulikunitz/xz/README.md b/vendor/github.com/ulikunitz/xz/README.md index 554718521..56d49275a 100644 --- a/vendor/github.com/ulikunitz/xz/README.md +++ b/vendor/github.com/ulikunitz/xz/README.md @@ -75,3 +75,14 @@ To decompress it use the following command. $ gxz -d bigfile.xz +## Security & Vulnerabilities + +The security policy is documented in [SECURITY.md](SECURITY.md). + +The software is not affected by the supply chain attack on the original xz +implementation, [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094). +This implementation doesn't share any files with the original xz implementation +and no patches or pull requests are accepted without a review. + +All security advisories for this project are published under +[github.com/ulikunitz/xz/security/advisories](https://github.com/ulikunitz/xz/security/advisories?state=published). diff --git a/vendor/github.com/ulikunitz/xz/SECURITY.md b/vendor/github.com/ulikunitz/xz/SECURITY.md index 5f7ec01b3..1bdc88878 100644 --- a/vendor/github.com/ulikunitz/xz/SECURITY.md +++ b/vendor/github.com/ulikunitz/xz/SECURITY.md @@ -6,5 +6,14 @@ Currently the last minor version v0.5.x is supported. ## Reporting a Vulnerability -Report a vulnerability by creating a Github issue at -. Expect a response in a week. +You can privately report a vulnerability following this +[procedure](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). +Alternatively you can create a Github issue at +. + +In both cases expect a response in at least 7 days. + +## Security Advisories + +All security advisories for this project are published under +[github.com/ulikunitz/xz/security/advisories](https://github.com/ulikunitz/xz/security/advisories?state=published). diff --git a/vendor/github.com/ulikunitz/xz/TODO.md b/vendor/github.com/ulikunitz/xz/TODO.md index a3d6f1925..c466ffeda 100644 --- a/vendor/github.com/ulikunitz/xz/TODO.md +++ b/vendor/github.com/ulikunitz/xz/TODO.md @@ -86,6 +86,11 @@ ## Log +### 2024-04-03 + +Release v0.5.12 updates README.md and SECURITY.md to address the supply chain +attack on the original xz implementation. + ### 2022-12-12 Matt Dantay (@bodgit) reported an issue with the LZMA reader. The implementation @@ -99,7 +104,7 @@ it. Mituo Heijo has fuzzed xz and found a bug in the function readIndexBody. The function allocated a slice of records immediately after reading the value -without further checks. Sincex the number has been too large the make function +without further checks. Since the number has been too large the make function did panic. The fix is to check the number against the expected number of records before allocating the records. diff --git a/vendor/modules.txt b/vendor/modules.txt index 5e0f101a9..7dee654bb 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -745,7 +745,7 @@ github.com/tomarrell/wrapcheck/v2/wrapcheck github.com/tommy-muehle/go-mnd/v2 github.com/tommy-muehle/go-mnd/v2/checks github.com/tommy-muehle/go-mnd/v2/config -# github.com/ulikunitz/xz v0.5.11 +# github.com/ulikunitz/xz v0.5.12 ## explicit; go 1.12 github.com/ulikunitz/xz github.com/ulikunitz/xz/internal/hash -- cgit mrf-deployment