Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump go.mongodb.org/mongo-driver from 1.3.0 to 1.5.1 #959

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 19, 2023

Bumps go.mongodb.org/mongo-driver from 1.3.0 to 1.5.1.

Release notes

Sourced from go.mongodb.org/mongo-driver's releases.

MongoDB Go Driver 1.5.1

The MongoDB Go driver team is pleased to release 1.5.1 of the official Go driver.

This release contains several bug fixes. Due to the issue below, we recommend all users upgrade to this version of the driver.

Documentation can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. Questions and inquiries can be asked on the MongoDB Developer Community. Bugs can be reported in the Go Driver Jira where a list of current issues can be found.

This CVE describes a security issue with the driver's BSON marshalling system. BSON marshalling functions would incorrectly handle null bytes embedded in BSON key names and the pattern/options fields of a BSON regex value. BSON marshalling functions now correctly validate and error if there is an embedded null byte in BSON key names or the pattern/options fields of a BSON regex value. We recommend all users of the driver upgrade to this version.

CVE ID: CVE-2021-20329 Title: Specific cstrings input may not be properly validated in the MongoDB Go Driver Description: Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0. CVSS score: 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Affected products and versions, MongoDB Go Driver versions <= 1.5.0 Underlying operating systems affected: All

For a full list of tickets included in this release, please see the links below:

Bugs

Tasks

MongoDB Go Driver 1.5.0

The MongoDB Go driver team is pleased to release 1.5.0 of the official Go driver.

This release contains several new features and usability improvements for the driver.

Documentation can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. Questions and inquiries can be asked on the MongoDB Developer Community. Bugs can be reported in the Go Driver Jira where a list of current issues can be found.

This release contains a new errors API for the primary mongo package. Users can now detect duplicate key errors, timeouts, and network errors via the mongo.IsDuplicateKeyError, mongo.IsTimeout, and mongo.IsNetworkError functions, respectively. Additionally, a new UpdateByID function has been added to the mongo.Collection type to update a single document with a given _id value.

The Go Driver now supports using GCP and Azure key management services with the client-side field level encryption feature. In addition, AWS key management support has been enhanced to allow authenticating with temporary AWS credentials. See the MongoDB docs for more information about these improvements. Use of client-side field level encryption requires users to install the latest released version of libmongocrypt. Note: This means that existing applications that use this feature will need to upgrade the libmongocrypt dependency when upgrading to this driver version; otherwise, the application will fail to compile. Users can upgrade to the latest development release of libmongocrypt via the OS-specific instructions for macos, Windows, and Linux.

Monitoring has now been added for various server events. A ServerMonitor set on a mongo.Client monitors changes on the MongoDB deployment it is connected to and reports the changes in the client's representation of the deployment.

The driver will now error if a map with more than one key is used as a hint option, sort option, or for index creation. This is to prevent unexpected behavior, for example, an index being created with the keys in the wrong order.

... (truncated)

Commits
  • 40c0e70 Update version to v1.5.1
  • 3a89e6c GODRIVER-1923 Error if BSON cstrings contain null bytes (#622)
  • 1a2534c GODRIVER-1935 Update scram/stringprep dependencies (#624)
  • 6ea353a GODRIVER-1918 Check for zero length in readstring (#613)
  • d5e11aa GODRIVER-1919 Support decoding ObjectIDs from hex strings in BSON (#610)
  • e0ed6d6 Update version to v1.5.1+prerelease
  • 6760875 Update version to v1.5.0
  • 19a368c GODRIVER-1911 Fix Windows/macos test failures for CSFLE (#603)
  • 2a5f9a4 GODRIVER-1879 Apply connectTimeoutMS to TLS handshake (#594)
  • 2c5b75b GODRIVER-1855 Support AWS authentication with temporary credentials in CSFLE ...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [go.mongodb.org/mongo-driver](https://github.com/mongodb/mongo-go-driver) from 1.3.0 to 1.5.1.
- [Release notes](https://github.com/mongodb/mongo-go-driver/releases)
- [Commits](mongodb/mongo-go-driver@v1.3.0...v1.5.1)

---
updated-dependencies:
- dependency-name: go.mongodb.org/mongo-driver
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 19, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 19, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign marsik for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 19, 2023

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift-kni member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Feb 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants