chore(deps): update module github.com/golang/glog to v1.2.4 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/golang/glog	v1.0.0 → v1.2.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-45339

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

---

Insecure Temporary File usage in github.com/golang/glog

CVE-2024-45339 / GHSA-6wxm-mpqj-6jpf / GO-2025-3372

More information

Details

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

Severity

• CVSS Score: 4.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-45339
• https://github.com/golang/glog/pull/74
• https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2
• https://github.com/golang/glog
• https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs
• https://lists.debian.org/debian-lts-announce/2025/02/msg00019.html
• https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
• https://pkg.go.dev/vuln/GO-2025-3372

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Vulnerability when creating log files in github.com/golang/glog

CVE-2024-45339 / GHSA-6wxm-mpqj-6jpf / GO-2025-3372

More information

Details

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

Severity

Unknown

References

• https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2
• https://github.com/golang/glog/pull/74
• https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs
• https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

golang/glog (github.com/golang/glog)

v1.2.4

Compare Source

What's Changed

• Fail if log file already exists by @​chressie in #​74:
  • glog: Don't try to create/rotate a given syncBuffer twice in the same second
  • glog: introduce createInDir function as in internal version
  • glog: have createInDir fail if the file already exists

Full Changelog: golang/glog@v1.2.3...v1.2.4

v1.2.3

Compare Source

What's Changed

• glog: check that stderr is valid before using it by default by @​chressie in #​72
• glog: fix typo by @​chressie in #​73

Full Changelog: golang/glog@v1.2.2...v1.2.3

v1.2.2

Compare Source

What's Changed

• glog: avoid calling user.Current() on windows by @​bentekkie in #​69

Full Changelog: golang/glog@v1.2.1...v1.2.2

v1.2.1

Compare Source

What's Changed

• glog: don't hold mutex when sync'ing by @​chressie in #​68

Full Changelog: golang/glog@v1.2.0...v1.2.1

v1.2.0

Compare Source

What's Changed

• glog: add context variants and logsink tests by @​chressie in #​66

Full Changelog: golang/glog@v1.1.2...v1.2.0

v1.1.2

Compare Source

Bugfix release.

What's Changed

• glog: populate symlinks -log_link directory by @​chressie in #​64

Full Changelog: golang/glog@v1.1.1...v1.1.2

v1.1.1

Compare Source

Bugfixes since the larger v1.1.0, which have been addressed.

v1.1.0

Compare Source

Tagging v1.1.0 after syncing glog with internal changes

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[github-actions]

😢 zizmor failed with exit code 14.

Expand for full output

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf-lint.yml:13:9
   |
13 |       - uses: bufbuild/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf-lint.yml:16:9
   |
16 |       - uses: bufbuild/buf-lint-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf-lint.yml:19:9
   |
19 |       - uses: bufbuild/buf-breaking-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:12:9
   |
12 |       - uses: bufbuild/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:15:9
   |
15 |       - uses: bufbuild/buf-lint-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:18:9
   |
18 |       - uses: bufbuild/buf-breaking-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:22:9
   |
22 |       - uses: bufbuild/buf-push-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/ci.yml:208:66
    |
208 |         run: ./scripts/ui_release.sh --check-package "$(echo ${{ github.ref_name }}|sed s/v2/v0/)"
    |         --- this run block                                       ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/ci.yml:16:9
   |
16 |       - uses: prometheus/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/ci.yml:38:9
   |
38 |       - uses: prometheus/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:107:9
    |
107 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:130:9
    |
130 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:149:9
    |
149 |         uses: golangci/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:165:9
    |
165 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:179:9
    |
179 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:194:9
    |
194 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/codeql-analysis.yml:29:9
   |
29 |         uses: github/codeql-action/init@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/codeql-analysis.yml:34:9
   |
34 |         uses: github/codeql-action/autobuild@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/codeql-analysis.yml:37:9
   |
37 |         uses: github/codeql-action/analyze@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/fuzzing.yml:10:9
   |
10 |         uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/fuzzing.yml:15:9
   |
15 |         uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/lock.yml:18:9
   |
18 |       - uses: dessant/lock-threads@v4
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-images]: unpinned image references
  --> ./.github/workflows/repo_sync.yml:10:7
   |
10 |       image: quay.io/prometheus/golang-builder
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ container image is unpinned
   |
   = note: audit confidence → High

83 findings (37 ignored, 23 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 23 high