Bump the go_modules group in /src with 10 updates

[dependabot]

Bumps the go_modules group in /src with 10 updates:

Package	From	To
github.com/hashicorp/vault	1.15.1	1.18.1
github.com/cloudflare/circl	1.3.3	1.3.7
github.com/docker/docker	24.0.7+incompatible	26.1.5+incompatible
github.com/go-jose/go-jose/v3	3.0.1	3.0.3
github.com/hashicorp/go-retryablehttp	0.7.4	0.7.7
github.com/jackc/pgproto3/v2	2.3.2	2.3.3
github.com/jackc/pgx/v4	4.18.1	4.18.3
golang.org/x/crypto	0.14.0	0.27.0
golang.org/x/net	0.17.0	0.29.0
google.golang.org/protobuf	1.31.0	1.34.2

Updates github.com/hashicorp/vault from 1.15.1 to 1.18.1

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.18.1

No release notes provided.

v1.18.0

CHANGES:

• activity (enterprise): filter all fields in client count responses by the request namespace [GH-27790]
• activity (enterprise): remove deprecated fields distinct_entities and non_entity_tokens [GH-27830]
• activity log: Deprecated the field "default_report_months". Instead, the billing start time will be used to determine the start time when querying the activity log endpoints. [GH-27350]
• activity log: Deprecates the current_billing_period field for /sys/internal/counters/activity. The default start time will automatically be set the billing period start date. [GH-27426]
• activity: The activity export API now requires the sudo ACL capability. [GH-27846]
• activity: The activity export API now responds with a status of 204 instead 400 when no data exists within the time range specified by start_time and end_time. [GH-28064]
• activity: The startTime will be set to the start of the current billing period by default. The endTime will be set to the end of the current month. This applies to /sys/internal/counters/activity, /sys/internal/counters/activity/export, and the vault operator usage command that utilizes /sys/internal/counters/activity. [GH-27379]
• api: Update backoff/v3 to backoff/v4.3.0 [GH-26868]
• auth/alicloud: Update plugin to v0.19.0 [GH-28263]
• auth/azure: Update plugin to v0.19.0 [GH-28294]
• auth/cf: Update plugin to v0.18.0 [GH-27724]
• auth/cf: Update plugin to v0.19.0 [GH-28266]
• auth/gcp: Update plugin to v0.19.0 [GH-28366]
• auth/jwt: Update plugin to v0.21.0 [GH-27498]
• auth/jwt: Update plugin to v0.22.0 [GH-28349]
• auth/kerberos: Update plugin to v0.13.0 [GH-28264]
• auth/kubernetes: Update plugin to v0.20.0 [GH-28289]
• auth/oci: Update plugin to v0.17.0 [GH-28307]
• cli: The undocumented -dev-three-node and -dev-four-cluster CLI options have been removed. [GH-27578]
• consul-template: updated to version 0.39.1 [GH-27799]
• core(enterprise): Updated the following two control group related errors responses to respond with response code 400 instead of 500: control group: could not find token, and control group: token is not a valid control group token.
• core: Bump Go version to 1.22.7
• database/couchbase: Update plugin to v0.12.0 [GH-28327]
• database/elasticsearch: Update plugin to v0.16.0 [GH-28277]
• database/mongodbatlas: Update plugin to v0.13.0 [GH-28268]
• database/redis-elasticache: Update plugin to v0.5.0 [GH-28293]
• database/redis: Update plugin to v0.4.0 [GH-28404]
• database/snowflake: Update plugin to v0.12.0 [GH-28275]
• sdk: Upgrade to go-secure-stdlib/[email protected], which also bumps github.com/docker/docker to v26.1.5+incompatible [GH-28269]
• secrets/ad: Update plugin to v0.19.0 [GH-28361]
• secrets/alicloud: Update plugin to v0.18.0 [GH-28271]
• secrets/azure: Update plugin to v0.19.2 [GH-27652]
• secrets/azure: Update plugin to v0.20.0 [GH-28267]
• secrets/gcp: Update plugin to v0.20.0 [GH-28324]
• secrets/gcpkms: Update plugin to v0.18.0 [GH-28300]
• secrets/gcpkms: Update plugin to v0.19.0 [GH-28360]
• secrets/kubernetes: Update plugin to v0.9.0 [GH-28287]
• secrets/kv: Update plugin to v0.20.0 [GH-28334]
• secrets/mongodbatlas: Update plugin to v0.13.0 [GH-28348]
• secrets/openldap: Update plugin to v0.14.0 [GH-28325]

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.18.1

October 30, 2024

SECURITY:

• core/raft: Add raft join limits [GH-28790, HCSEC-2024-26]

CHANGES:

• auth/azure: Update plugin to v0.19.1 [GH-28712]
• secrets/azure: Update plugin to v0.20.1 [GH-28699]
• secrets/openldap: Update plugin to v0.14.1 [GH-28479]
• secrets/openldap: Update plugin to v0.14.2 [GH-28704]
• secrets/openldap: Update plugin to v0.14.3 [GH-28780]

IMPROVEMENTS:

• core: Add a mount tuneable that trims trailing slashes of request paths during POST. Needed to support CMPv2 in PKI. [GH-28752]
• raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20241003195753-88fef418d705
• ui: Add button to copy secret path in kv v1 and v2 secrets engines [GH-28629]
• ui: Adds copy button to identity entity, alias and mfa method IDs [GH-28742]

BUG FIXES:

• agent: Fix chown error running agent on Windows with an auto-auth file sinks. [GH-28748]
• audit: Prevent users from enabling multiple audit devices of file type with the same file_path to write to. [GH-28751]
• cli: Fixed a CLI precedence issue where -agent-address didn't override VAULT_AGENT_ADDR as it should [GH-28574]
• core/seal (enterprise): Fix bug that caused seal generation information to be replicated, which prevented disaster recovery and performance replication clusters from using their own seal high-availability configuration.
• core/seal: Fix an issue that could cause reading from sys/seal-backend-status to return stale information. [GH-28631]
• core: Fixed panic seen when performing help requests without /v1/ in the URL. [GH-28669]
• kmip (enterprise): Use the default KMIP port for IPv6 addresses missing a port, for the listen_addrs configuration field, in order to match the existing IPv4 behavior
• namespaces (enterprise): Fix issue where namespace patch requests to a performance secondary would not patch the namespace's metadata.
• proxy: Fix chown error running proxy on Windows with an auto-auth file sink. [GH-28748]
• secrets/pki: Address issue with ACME HTTP-01 challenges failing for IPv6 IPs due to improperly formatted URLs [GH-28718]
• ui: No longer running decodeURIComponent on KVv2 list view allowing percent encoded data-octets in path name. [GH-28698]

1.18.0

October 9, 2024

SECURITY:

• secrets/identity: A privileged Vault operator with write permissions to the root namespace's identity endpoint could escalate their privileges to Vault's root policy (CVE-2024-9180) HCSEC-2024-21

CHANGES:

• activity (enterprise): filter all fields in client count responses by the request namespace [GH-27790]
• activity (enterprise): remove deprecated fields distinct_entities and non_entity_tokens [GH-27830]
• activity log: Deprecated the field "default_report_months". Instead, the billing start time will be used to determine the start time when querying the activity log endpoints. [GH-27350]
• activity log: Deprecates the current_billing_period field for /sys/internal/counters/activity. The default start time will automatically be set the billing period start date. [GH-27426]

... (truncated)

Commits

• f479e5c [VAULT-32181] This is an automated pull request to build all artifacts for a ...
• d92fac4 backport of commit 195dfca433028887973f5bd82d173d91fe9dab4a (#28791)
• 328fbc2 backport of commit 2eaae5e87bc926d61a02554425f3e815ff5ee3ab (#28787)
• 72c3a8e backport of commit 4688583754ef1e6cc6533ee9677a92b4651a1673 (#28785)
• e8c74b6 backport of commit c62d24dfc76dde52710b5645ed9318decc7943e6 (#28784)
• 2e9cc4d backport of commit a384eac192d362692d6600b5021239b36b799b53 (#28783)
• d45d044 backport of commit cccad7d53f8901aee84f4cac23f46384bff5d8ac (#28777)
• 24d1f9f backport of commit f439a1eece9e27d787ebc1ae187c0ca19de8800d (#28776)
• 337b222 backport of commit dec3bcc1aafec8c355f5435e5bc4953ce794eeb7 (#28774)
• 1ca2e01 backport of commit b4c332626f8d67cc970db5b8990b5ce9b1e1d5c9 (#28768)
• Additional commits viewable in compare view

Updates github.com/cloudflare/circl from 1.3.3 to 1.3.7

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.3.7

What's Changed

• build(deps): bump golang.org/x/crypto from 0.3.1-0.20221117191849-2c476679df9a to 0.17.0 by @​dependabot in cloudflare/circl#467
• kyber: remove division by q in ciphertext compression by @​bwesterb in cloudflare/circl#468
• Releasing CIRCL v1.3.7 by @​armfazh in cloudflare/circl#469

New Contributors

• @​dependabot made their first contribution in cloudflare/circl#467

Full Changelog: cloudflare/circl@v1.3.6...v1.3.7

CIRCL v1.3.6

What's Changed

• internal: add TurboShake{128,256} by @​bwesterb in cloudflare/circl#430
• Kangaroo12 draft -10 by @​bwesterb in cloudflare/circl#431
• Add K12 as XOF by @​bwesterb in cloudflare/circl#437
• xof/k12: Fix a typo in the package documentation by @​cjpatton in cloudflare/circl#438
• Set CIRCL version for generated assembler code. by @​armfazh in cloudflare/circl#440
• Add tkn20 benchmarks by @​tanyav2 in cloudflare/circl#442
• Add partially blind RSA implementation by @​chris-wood in cloudflare/circl#445
• Update doc.go by @​nadimkobeissi in cloudflare/circl#447
• tss/rsa: key generation for threshold RSA (safe primes) by @​armfazh in cloudflare/circl#450
• Bumping Go version for CI jobs. by @​armfazh in cloudflare/circl#457
• Spelling by @​jsoref in cloudflare/circl#456
• blindrsa: updating blindrsa to be compliant with RFC9474 by @​armfazh in cloudflare/circl#464
• Releasing CIRCL v1.3.6 by @​armfazh in cloudflare/circl#465

New Contributors

• @​nadimkobeissi made their first contribution in cloudflare/circl#447
• @​jsoref made their first contribution in cloudflare/circl#456

Full Changelog: cloudflare/circl@v1.3.3...v1.3.6

Commits

• c48866b Releasing CIRCL v1.3.7
• 75ef91e kyber: remove division by q in ciphertext compression
• 899732a build(deps): bump golang.org/x/crypto
• 99f0f71 Releasing CIRCL v1.3.6
• e728d0d Apply thibmeu code review suggestions
• ceb2d90 Updating blindrsa to be compliant with RFC9474.
• 44133f7 spelling: tripped
• c2076d6 spelling: transposes
• dad2166 spelling: title
• 171c418 spelling: threshold
• Additional commits viewable in compare view

Updates github.com/docker/docker from 24.0.7+incompatible to 26.1.5+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v26.1.5

26.1.5

Security

This release contains a fix for CVE-2024-41110 / GHSA-v23v-6jw2-98fq that impacted setups using authorization plugins (AuthZ) for access control. No other changes are included in this release, and this release is otherwise identical for users not using AuthZ plugins.

Full Changelog: moby/moby@v26.1.4...v26.1.5

v26.1.4

26.1.4

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.1.4 milestone
• moby/moby, 26.1.4 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release updates the Go runtime to 1.21.11 which contains security fixes for:

• CVE-2024-24789
• CVE-2024-24790
• A symlink time of check to time of use race condition during directory removal reported by Addison Crump (@​addisoncrump).

Bug fixes and enhancements

• Fixed an issue where promoting a node immediately after another node was demoted could cause the promotion to fail. moby/moby#47870
• Prevent the daemon log from being spammed with superfluous response.WriteHeader call ... messages.. moby/moby#47843
• Don't show empty hints when plugins return an empty hook message. docker/cli#5083
• Added ContextType: "moby" to the context list/inspect output to address a compatibility issue with Visual Studio Container Tools. docker/cli#5095
• Fix a compatibility issue with Visual Studio Container Tools. docker/cli#5095

Packaging updates

• Update containerd (static binaries only) to v1.7.17. moby/moby#47841
• CVE-2024-24789, CVE-2024-24790: Update Go runtime to 1.21.11. moby/moby#47904
• Update Compose to v2.27.1. docker/docker-ce-packages#1022
• Update Buildx to v0.14.1. docker/docker-ce-packages#1021

v26.1.3

26.1.3

... (truncated)

Commits

• 411e817 Merge commit from fork
• 9cc85ea If url includes scheme, urlPath will drop hostname, which would not match the...
• 820cab9 Authz plugin security fixes for 0-length content and path validation
• 6bc4906 Merge pull request #48123 from vvoland/v26.1-48120
• 6fbdce4 update to go1.21.12
• f533464 Merge pull request #47986 from vvoland/v26.1-47985
• c1d4587 builder/mobyexporter: Add missing nil check
• d642804 Merge pull request #47940 from thaJeztah/26.1_backport_api_remove_container_c...
• daba246 docs: api: image inspect: remove Container and ContainerConfig
• de5c9cf Merge pull request #47912 from thaJeztah/26.1_backport_vendor_containerd_1.7.18
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3

Release notes

Sourced from github.com/go-jose/go-jose/v3's releases.

Version 3.0.3

Fixed

• Limit decompression output size to prevent a DoS. Backport from v4.0.1.

Version 3.0.2

Fixed

• DecryptMulti: handle decompression error (#19)

Changed

• jwe/CompactSerialize: improve performance (#67)
• Increase the default number of PBKDF2 iterations to 600k (#48)
• Return the proper algorithm for ECDSA keys (#45)
• Update golang.org/x/crypto to v0.19 (#94)

Added

• Add Thumbprint support for opaque signers (#38)

Changelog

Sourced from github.com/go-jose/go-jose/v3's changelog.

v3.0.3

Fixed

• Limit decompression output size to prevent a DoS. Backport from v4.0.1.

v3.0.2

Fixed

• DecryptMulti: handle decompression error (#19)

Changed

• jwe/CompactSerialize: improve performance (#67)
• Increase the default number of PBKDF2 iterations to 600k (#48)
• Return the proper algorithm for ECDSA keys (#45)

Added

• Add Thumbprint support for opaque signers (#38)

Commits

• add6a28 v3: backport decompression limit fix (#107)
• 11bb4e7 doc: in v3 branch's README, point to v4 as latest (#101)
• 863f73b v3.0.2: Update changelog (#95)
• bdbc794 Update golang.org/x/crypto to v0.19 (backport) (#94)
• 25bce79 Updated go-jose v3.0.0 to v3.0.1 in jose-util (#70)
• aa386df jwe/CompactSerialize: improve performance. (#67)
• 053c9bf DecryptMulti: handle decompression error (#19)
• ca9011b Bump go version to 1.21.4 to satisfy govulncheck (#68)
• c8399df Revert pull request #10 (multiple audiences) (#24)
• ec819e9 Add a security.md doc for contacting us about potential security vulnerabilit...
• Additional commits viewable in compare view

Updates github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7

Changelog

Sourced from github.com/hashicorp/go-retryablehttp's changelog.

0.7.7 (May 30, 2024)

BUG FIXES:

• client: avoid potentially leaking URL-embedded basic authentication credentials in logs (#158)

0.7.6 (May 9, 2024)

ENHANCEMENTS:

• client: support a RetryPrepare function for modifying the request before retrying (#216)
• client: support HTTP-date values for Retry-After header value (#138)
• client: avoid reading entire body when the body is a *bytes.Reader (#197)

BUG FIXES:

• client: fix a broken check for invalid server certificate in go 1.20+ (#210)

0.7.5 (Nov 8, 2023)

BUG FIXES:

• client: fixes an issue where the request body is not preserved on temporary redirects or re-established HTTP/2 connections (#207)

Commits

• 1542b31 v0.7.7
• defb9f4 v0.7.7
• a99f07b Merge pull request #158 from dany74q/danny/redacted-url-in-logs
• 8a28c57 Merge branch 'main' into danny/redacted-url-in-logs
• 86e852d Merge pull request #227 from hashicorp/dependabot/github_actions/actions/chec...
• 47fe99e Bump actions/checkout from 4.1.5 to 4.1.6
• 490fc06 Merge pull request #226 from testwill/ioutil
• f3e9417 chore: remove refs to deprecated io/ioutil
• d969eaa Merge pull request #225 from hashicorp/manicminer-patch-2
• 2ad8ed4 v0.7.6
• Additional commits viewable in compare view

Updates github.com/jackc/pgproto3/v2 from 2.3.2 to 2.3.3

Commits

• 945c212 Backport fixes from pgx v5
• See full diff in compare view

Updates github.com/jackc/pgx/v4 from 4.18.1 to 4.18.3

Changelog

Sourced from github.com/jackc/pgx/v4's changelog.

4.18.3 (March 9, 2024)

Use spaces instead of parentheses for SQL sanitization.

This still solves the problem of negative numbers creating a line comment, but this avoids breaking edge cases such as set foo to $1 where the substitution is taking place in a location where an arbitrary expression is not allowed.

4.18.2 (March 4, 2024)

Fix CVE-2024-27289

SQL injection can occur when all of the following conditions are met:

1. The non-default simple protocol is used.
2. A placeholder for a numeric value must be immediately preceded by a minus.
3. There must be a second placeholder for a string value after the first placeholder; both must be on the same line.
4. Both parameter values must be user-controlled.

Thanks to Paul Gerste for reporting this issue.

Fix CVE-2024-27304

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Thanks to Paul Gerste for reporting this issue.

• Fix *dbTx.Exec not checking if it is already closed

Commits

• 8f05c47 Update changelog
• 69fcb46 Use spaces instead of parentheses for SQL sanitization.
• 14690df Update changelog
• 779548e Update required Go version to 1.17
• 80e9662 Update github.com/jackc/pgconn to v1.14.3
• 0bf9ac3 Fix erroneous test case
• f94eb0e Always wrap arguments in parentheses in the SQL sanitizer
• 826a892 Fix SQL injection via line comment creation in simple protocol
• 7d882f9 Fix *dbTx.Exec not checking if it is already closed
• 1d07b8b go mod tidy
• See full diff in compare view

Updates golang.org/x/crypto from 0.14.0 to 0.27.0

Commits

• c9da6b9 all: fix printf(var) mistakes detected by latest printf checker
• b35ab4f go.mod: update golang.org/x dependencies
• bcb0f91 internal/poly1305: Port sum_amd64.s to Avo
• 7eace71 chacha20poly1305: Avo port of chacha20poly1305_amd64.s
• 620dfbc salsa20/salsa: Port salsa20_amd64.s to Avo
• 82942cf blake2b: port blake2b_amd64.s to Avo
• 0484c26 blake2b: port blake2bAVX2_amd64.s to Avo
• 38ed1bc blake2s: port blake2s_amd64.s to Avo
• 38a0b5d argon2: Avo port of blamka_amd64.s
• bf5f14f x509roots/fallback: update bundle
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.17.0 to 0.29.0

Commits

• 35b4aba go.mod: update golang.org/x dependencies
• 9bf379f websocket: fix printf(var) mistake detected by latest printf checker
• 4542a42 go.mod: update golang.org/x dependencies
• 765c7e8 xsrftoken: create no padding base64 string by RawURLEncoding
• 032e4e4 LICENSE: update per Google Legal
• e2310ae go.mod: update golang.org/x dependencies
• 77708f7 quic: skip tests which depend on unimplemented UDP functions on Plan 9
• 9617c63 http2: avoid Transport hang with Connection: close and AllowHTTP
• 66e838c go.mod: update golang.org/x dependencies
• 6249541 http2: avoid race in server handler SetReadDeadine/SetWriteDeadline
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.31.0 to 1.34.2

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.