This repository was archived by the owner on Aug 17, 2025. It is now read-only.
Update module github.com/cloudevents/sdk-go/v2 to v2.15.2 [SECURITY] #151
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
changed the title
renovate
bot
deleted the
renovate/go-github.com-cloudevents-sdk-go-v2-vulnerability
branch
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-cloudevents-sdk-go-v2-vulnerability
branch
from
f495ceb to
445b989
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-cloudevents-sdk-go-v2-vulnerability
branch
from
974e3bb to
445b989
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-cloudevents-sdk-go-v2-vulnerability
branch
from
a304d51 to
445b989
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.12.0->v2.15.2GitHub Vulnerability Alerts
CVE-2024-28110
Impact
What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.
The relevant code is here (also inline, emphasis added):
if p.Client == nil { p.Client = **http.DefaultClient** } if p.roundTripper != nil { p.Client.**Transport = p.roundTripper** }When the transport is populated with an authenticated transport such as:
... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!
Found and patched by: @tcnghia and @mattmoor
Patches
v.2.15.2
Release Notes
cloudevents/sdk-go (github.com/cloudevents/sdk-go/v2)
v2.15.2Compare Source
What's Changed
DefaultClient, or change the CloudEventsClientreturned fromNewClient, and expect those changes to be visible on other HTTP flows using those Clients. E.g. authFull Changelog: cloudevents/sdk-go@v2.15.1...v2.15.2
v2.15.1Compare Source
What's Changed
confluent-kafka-gobinding for Kafka by @yanmxa in https://github.com/cloudevents/sdk-go/pull/1008New Contributors
Full Changelog: cloudevents/sdk-go@v2.15.0...v2.15.1
v2.15.0Compare Source
Highlights 💫
This release includes various updates and improvements such as README enhancements, dependency bumps, bug fixes, race condition resolutions, and protocol-related adjustments. Notable changes involve upgrading dependencies like grpc and go.opentelemetry, addressing race conditions, fixing Kafka test issues, and introducing new features like binary content mode for NATS and JetStream protocols. Additionally, there are governance documentation updates, link corrections, and improvements in error handling and documentation across different modules.
Breaking 🚨
The Kafka Sarama protocol now uses the
"github.com/IBM/sarama"Go module import path.Commits 📄
896e1d0Update README.md75ec0f2Bump actions/setup-go from 4 to 541e80f7fixed couple issues9ccd339bugfix_value_type_of_dataschemac8cbca9adds unique package name for importf1bca09relative .pb.go generation, go_package set to package namec20eef2bump the pahao mqtt to v0.12ed7be6bAdd WithCustomAttributes for PubSubbe31358returning the error when doing a nack in the messageecead5cMake a few comments a bit clearer57be3cdTry to make sure the Receiver starts before we send eventsf5c7061Try to fix race again - don't reuse clients for sender/receiver8bea925Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/httpfa6be00Bump google.golang.org/grpc from 1.56.1 to 1.56.3 in /protocol/pubsub/v27e05ecdBump google.golang.org/grpc from 1.56.1 to 1.56.3 in /samples/pubsub13825baSleep less to avoid timeouts3162d69Bump github.com/nats-io/nats-server/v2 in /protocol/stan/v2ec8b0f9deps: update nats dependenciesdae9f6cBump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp1d6360bBump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp06658a2Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp7c1a3b1fix race6f5984bMove to go 1.18 Had to run gofmt and fix some weird typos due to tabs in the comments0a006bbFix race condition in kafka tests510b002issue 814 - Add binary content mode for NATS and JetStream protocolsac3d30cadd link to our security mailing list9405398Bump golang.org/x/net in /observability/opencensus/v23cbfae0Bump golang.org/x/net from 0.9.0 to 0.17.0 in /protocol/pubsub/v265eb52eBump golang.org/x/net from 0.12.0 to 0.17.0 in /protocol/kafka_sarama/v2d25d6e4Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/pubsube4653a8Bump golang.org/x/net from 0.12.0 to 0.17.0 in /test/conformance6ed9f79Bump golang.org/x/net from 0.9.0 to 0.17.0 in /samples/http6a3393cBump golang.org/x/net from 0.7.0 to 0.17.0 in /test/benchmark806ef35Bump golang.org/x/net from 0.12.0 to 0.17.0 in /samples/kafkade13f1bBump golang.org/x/net from 0.12.0 to 0.17.0 in /test/integration3eefeb1Governance docs per CE PR 12261bcaa28Update links to cloudevents spec6aa2742context.Done() may never reach if waiting on r.incoming <- msgErr4bcdddamove it to write messaged06aea7clean the the previous properties0cc4fbaBump actions/checkout from 3 to 4f1c0d0achange denpendency sarama from Shopify to IBMf84be73Updated based on feedback310da90Support ACK when receiving malformed events808bf38provide the qos and retain configuration for mqtt protocole085f1acorrect the doc links766b88eremove the usage of deprecated io/ioutil packagee15d03dadd assertion helper for extension keys (#920)c1482afappend mqtt to the doc of protocol binding (#919)ff22db5Bump andstor/file-existence-action from 1 to 2 (#917)bf156f1call finish on unused messages; tidy retry logicfdcb2d2mqtt protocol binding (#910)f681ac6Bump grpc dependencies and workflow versions (#914)c684ae9vote to add embano1 as a maintainer50b18a0Bump golang.org/x/crypto in /samples/http (#902)5232986http: Fixes for Gin http receiver sample (#905)9970accAdded a Gin http receiver sample (#842)b7a65dbadd kafka topic/partition/offset to the extension of event (#896)bc9170fShort-circuit AND expressions (#899)eae656fBump nokogiri from 1.14.2 to 1.14.3 in /docs (#891)ff0a142fix: Fixing syntax errors and add some test feedback (#892)55e5dbaUpdate RELEASING to be more explicitv2.14.0Compare Source
What's Changed
go modw/o-goand-compatflags by @duglin in https://github.com/cloudevents/sdk-go/pull/888New Contributors
Full Changelog: cloudevents/sdk-go@v2.13.0...v2.14.0
v2.13.0Compare Source
What's Changed
New Contributors
Full Changelog: cloudevents/sdk-go@v2.12.0...v2.13.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.