62 lines
3.6 KiB
Diff
62 lines
3.6 KiB
Diff
|
From 4d25a94faa74e0a16e4bb7874c1d82faaf911d85 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Mellado <dmellado@redhat.com>
|
||
|
Date: Tue, 25 Jun 2024 16:31:03 +0200
|
||
|
Subject: [PATCH] Bump go-retryablehttp to fix basic auth creds leak
|
||
|
|
||
|
This PR updates go-retryablehttp to version 0.7.7, even if it's used as
|
||
|
an indirect import. Versions previous to that can didn't sanitize urls,
|
||
|
discussed at HDCSEC-2024-12 [1]
|
||
|
|
||
|
[1] https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027
|
||
|
|
||
|
Signed-off-by: Daniel Mellado <dmellado@redhat.com>
|
||
|
---
|
||
|
go.mod | 4 ++--
|
||
|
go.sum | 9 ++++-----
|
||
|
2 files changed, 6 insertions(+), 7 deletions(-)
|
||
|
|
||
|
diff --git a/go.mod b/go.mod
|
||
|
index ac8b4f469d0..ce2f0714a0a 100644
|
||
|
--- a/go.mod
|
||
|
+++ b/go.mod
|
||
|
@@ -146,10 +146,10 @@ require (
|
||
|
github.com/hashicorp/cronexpr v1.1.2 // indirect
|
||
|
github.com/hashicorp/errwrap v1.1.0 // indirect
|
||
|
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
|
||
|
- github.com/hashicorp/go-hclog v1.5.0 // indirect
|
||
|
+ github.com/hashicorp/go-hclog v1.6.3 // indirect
|
||
|
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
|
||
|
github.com/hashicorp/go-multierror v1.1.1 // indirect
|
||
|
- github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
|
||
|
+ github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
|
||
|
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
|
||
|
github.com/hashicorp/golang-lru v0.6.0 // indirect
|
||
|
github.com/hashicorp/serf v0.10.1 // indirect
|
||
|
diff --git a/go.sum b/go.sum
|
||
|
index 06db002f55b..956b9d89492 100644
|
||
|
--- a/go.sum
|
||
|
+++ b/go.sum
|
||
|
@@ -369,9 +369,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
|
||
|
github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
|
||
|
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
|
||
|
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
|
||
|
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
|
||
|
-github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
|
||
|
-github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
|
||
|
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
|
||
|
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
|
||
|
github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
|
||
|
github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
|
||
|
github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
|
||
|
@@ -383,8 +382,8 @@ github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+
|
||
|
github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
|
||
|
github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
|
||
|
github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
|
||
|
-github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA=
|
||
|
-github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
|
||
|
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
|
||
|
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
|
||
|
github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
|
||
|
github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
|
||
|
github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
|