Link Search Menu Expand Document

fabex GitHub

PR #106 Bump go.mongodb.org/mongo-driver from 1.1.0 to 1.5.1
dependencies Bumps [go.mongodb.org/mongo-driver](https://github.com/mongodb/mongo-go-driver) from 1.1.0 to 1.5.1.
Release notes

Sourced from go.mongodb.org/mongo-driver's releases.

MongoDB Go Driver 1.5.1

The MongoDB Go driver team is pleased to release 1.5.1 of the official Go driver.

This release contains several bug fixes. Due to the issue below, we recommend all users upgrade to this version of the driver.

Documentation can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. Questions and inquiries can be asked on the MongoDB Developer Community. Bugs can be reported in the Go Driver Jira where a list of current issues can be found.

This CVE describes a security issue with the driver's BSON marshalling system. BSON marshalling functions would incorrectly handle null bytes embedded in BSON key names and the pattern/options fields of a BSON regex value. BSON marshalling functions now correctly validate and error if there is an embedded null byte in BSON key names or the pattern/options fields of a BSON regex value. We recommend all users of the driver upgrade to this version.

CVE ID: CVE-2021-20329 Title: Specific cstrings input may not be properly validated in the MongoDB Go Driver Description: Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0. CVSS score: 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Affected products and versions, MongoDB Go Driver versions <= 1.5.0 Underlying operating systems affected: All

For a full list of tickets included in this release, please see the links below:

Bugs

Tasks

MongoDB Go Driver 1.5.0

The MongoDB Go driver team is pleased to release 1.5.0 of the official Go driver.

This release contains several new features and usability improvements for the driver.

Documentation can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. Questions and inquiries can be asked on the MongoDB Developer Community. Bugs can be reported in the Go Driver Jira where a list of current issues can be found.

This release contains a new errors API for the primary mongo package. Users can now detect duplicate key errors, timeouts, and network errors via the mongo.IsDuplicateKeyError, mongo.IsTimeout, and mongo.IsNetworkError functions, respectively. Additionally, a new UpdateByID function has been added to the mongo.Collection type to update a single document with a given _id value.

The Go Driver now supports using GCP and Azure key management services with the client-side field level encryption feature. In addition, AWS key management support has been enhanced to allow authenticating with temporary AWS credentials. See the MongoDB docs for more information about these improvements. Use of client-side field level encryption requires users to install the latest released version of libmongocrypt. Note: This means that existing applications that use this feature will need to upgrade the libmongocrypt dependency when upgrading to this driver version; otherwise, the application will fail to compile. Users can upgrade to the latest development release of libmongocrypt via the OS-specific instructions for macos, Windows, and Linux.

Monitoring has now been added for various server events. A ServerMonitor set on a mongo.Client monitors changes on the MongoDB deployment it is connected to and reports the changes in the client's representation of the deployment.

The driver will now error if a map with more than one key is used as a hint option, sort option, or for index creation. This is to prevent unexpected behavior, for example, an index being created with the keys in the wrong order.

... (truncated)

Commits
  • 40c0e70 Update version to v1.5.1
  • 3a89e6c GODRIVER-1923 Error if BSON cstrings contain null bytes (#622)
  • 1a2534c GODRIVER-1935 Update scram/stringprep dependencies (#624)
  • 6ea353a GODRIVER-1918 Check for zero length in readstring (#613)
  • d5e11aa GODRIVER-1919 Support decoding ObjectIDs from hex strings in BSON (#610)
  • e0ed6d6 Update version to v1.5.1+prerelease
  • 6760875 Update version to v1.5.0
  • 19a368c GODRIVER-1911 Fix Windows/macos test failures for CSFLE (#603)
  • 2a5f9a4 GODRIVER-1879 Apply connectTimeoutMS to TLS handshake (#594)
  • 2c5b75b GODRIVER-1855 Support AWS authentication with temporary credentials in CSFLE ...
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=go.mongodb.org/mongo-driver&package-manager=go_modules&previous-version=1.1.0&new-version=1.5.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperledger-labs/fabex/network/alerts).
Created At 2021-07-29 19:53:53 +0000 UTC
PR #105 Bump github.com/gin-gonic/gin from 1.6.3 to 1.7.0
dependencies Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.6.3 to 1.7.0.
Release notes

Sourced from github.com/gin-gonic/gin's releases.

Release v1.7.0

BUGFIXES

  • fix compile error from #2572 (#2600)
  • fix: print headers without Authorization header on broken pipe (#2528)
  • fix(tree): reassign fullpath when register new node (#2366)

ENHANCEMENTS

  • Support params and exact routes without creating conflicts (#2663)
  • chore: improve render string performance (#2365)
  • Sync route tree to httprouter latest code (#2368)
  • chore: rename getQueryCache/getFormCache to initQueryCache/initFormCa (#2375)
  • chore(performance): improve countParams (#2378)
  • Remove some functions that have the same effect as the bytes package (#2387)
  • update:SetMode function (#2321)
  • remove a unused type SecureJSONPrefix (#2391)
  • Add a redirect sample for POST method (#2389)
  • Add CustomRecovery builtin middleware (#2322)
  • binding: avoid 2038 problem on 32-bit architectures (#2450)
  • Prevent panic in Context.GetQuery() when there is no Request (#2412)
  • Add GetUint and GetUint64 method on gin.context (#2487)
  • update content-disposition header to MIME-style (#2512)
  • reduce allocs and improve the render WriteString (#2508)
  • implement ".Unwrap() error" on Error type (#2525) (#2526)
  • Allow bind with a map[string]string (#2484)
  • chore: update tree (#2371)
  • Support binding for slice/array obj [Rewrite] (#2302)
  • basic auth: fix timing oracle (#2609)
  • Add mixed param and non-param paths (port of httprouter#329) (#2663)
  • feat(engine): add trustedproxies and remoteIP (#2632)
Changelog

Sourced from github.com/gin-gonic/gin's changelog.

Gin v1.7.0

BUGFIXES

  • fix compile error from #2572 (#2600)
  • fix: print headers without Authorization header on broken pipe (#2528)
  • fix(tree): reassign fullpath when register new node (#2366)

ENHANCEMENTS

  • Support params and exact routes without creating conflicts (#2663)
  • chore: improve render string performance (#2365)
  • Sync route tree to httprouter latest code (#2368)
  • chore: rename getQueryCache/getFormCache to initQueryCache/initFormCa (#2375)
  • chore(performance): improve countParams (#2378)
  • Remove some functions that have the same effect as the bytes package (#2387)
  • update:SetMode function (#2321)
  • remove a unused type SecureJSONPrefix (#2391)
  • Add a redirect sample for POST method (#2389)
  • Add CustomRecovery builtin middleware (#2322)
  • binding: avoid 2038 problem on 32-bit architectures (#2450)
  • Prevent panic in Context.GetQuery() when there is no Request (#2412)
  • Add GetUint and GetUint64 method on gin.context (#2487)
  • update content-disposition header to MIME-style (#2512)
  • reduce allocs and improve the render WriteString (#2508)
  • implement ".Unwrap() error" on Error type (#2525) (#2526)
  • Allow bind with a map[string]string (#2484)
  • chore: update tree (#2371)
  • Support binding for slice/array obj [Rewrite] (#2302)
  • basic auth: fix timing oracle (#2609)
  • Add mixed param and non-param paths (port of httprouter#329) (#2663)
  • feat(engine): add trustedproxies and remoteIP (#2632)
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/gin-gonic/gin&package-manager=go_modules&previous-version=1.6.3&new-version=1.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperledger-labs/fabex/network/alerts).
Created At 2021-07-29 19:52:29 +0000 UTC