Merge remote-tracking branch 'upstream/release-v0.11.1'

red-hat-data-services · Jan 12, 2024 · a3a49b3 · a3a49b3
2 parents f93e586 + fa314ef
commit a3a49b3
Show file tree

Hide file tree

Showing 4 changed files with 132 additions and 67 deletions.
diff --git a/go.mod b/go.mod
@@ -27,7 +27,7 @@ require (
 	go.uber.org/zap v1.24.0
 	gomodules.xyz/jsonpatch/v2 v2.2.0
 	google.golang.org/api v0.122.0
-	google.golang.org/protobuf v1.30.0
+	google.golang.org/protobuf v1.32.0
 	istio.io/api v0.0.0-20200715212100-dbf5277541ef
 	istio.io/client-go v0.0.0-20201005161859-d8818315d678
 	k8s.io/api v0.26.4
@@ -106,9 +106,9 @@ require (
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.8.0 // indirect
 	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.8.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
@@ -127,3 +127,15 @@ require (
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
+
+replace (
+	// The crypto is pulled from go/compute which is pulled by go/storage
+	// this replace can be removed when version 1.36.1 of go/storage is released.
+	// https://github.com/googleapis/google-cloud-go/tree/main/storage
+	// Fixes CVE-2023-48795 - golang.org/x/crypto Authentication Bypass by Capture-replay
+	golang.org/x/crypto => golang.org/x/crypto v0.17.0
+
+	// Fixes github.com/elazarl/goproxy Denial of Service (DoS), the dependency was removed in v0.27.0
+	// Remove below when upgrading to controller-runtime 0.15.x or apimachinery to 0.27.x
+	k8s.io/apimachinery => k8s.io/apimachinery v0.27.0
+)