Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Go updated to 1.18 Packages updated to the lastes versions for each. Upgrading `github.com/prometheus/common` encountered the breaking change in which removed the Log package (prometheus/common#306), so the logging code has also been updated to use promlog instead. Mitigates security issues: GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON. https://nvd.nist.gov/vuln/detail/CVE-2020-35380 GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON. https://nvd.nist.gov/vuln/detail/CVE-2020-36066 GJSON <=v1.6.5 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call. https://nvd.nist.gov/vuln/detail/CVE-2020-36067 GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack. https://nvd.nist.gov/vuln/detail/CVE-2021-42836 The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. https://nvd.nist.gov/vuln/detail/CVE-2020-14040
- Loading branch information