Bump the go_modules group across 8 directories with 6 updates

[dependabot]

Bumps the go_modules group with 4 updates in the / directory: golang.org/x/net, google.golang.org/grpc, google.golang.org/protobuf and github.com/lestrrat-go/jwx.
Bumps the go_modules group with 4 updates in the /components/bifrost directory: golang.org/x/net, google.golang.org/grpc, google.golang.org/protobuf and github.com/lestrrat-go/jwx.
Bumps the go_modules group with 4 updates in the /components/echo-server directory: golang.org/x/net, google.golang.org/grpc, google.golang.org/protobuf and github.com/lestrrat-go/jwx.
Bumps the go_modules group with 4 updates in the /components/heimdall directory: golang.org/x/net, google.golang.org/grpc, google.golang.org/protobuf and github.com/golang-jwt/jwt/v4.
Bumps the go_modules group with 1 update in the /components/kafka-protocol-go directory: golang.org/x/crypto.
Bumps the go_modules group with 4 updates in the /experimental/java directory: golang.org/x/net, google.golang.org/grpc, google.golang.org/protobuf and github.com/lestrrat-go/jwx.
Bumps the go_modules group with 2 updates in the /experimental/kafka-message-pii-filter directory: golang.org/x/net and google.golang.org/protobuf.
Bumps the go_modules group with 4 updates in the /experimental/mobile directory: golang.org/x/net, google.golang.org/grpc, google.golang.org/protobuf and github.com/lestrrat-go/jwx.

Updates golang.org/x/net from 0.10.0 to 0.23.0

Commits

• c48da13 http2: fix TestServerContinuationFlood flakes
• 762b58d http2: fix tipos in comment
• ba87210 http2: close connections when receiving too many headers
• ebc8168 all: fix some typos
• 3678185 http2: make TestCanonicalHeaderCacheGrowth faster
• 448c44f http2: remove clientTester
• c7877ac http2: convert the remaining clientTester tests to testClientConn
• d8870b0 http2: use synthetic time in TestIdleConnTimeout
• d73acff http2: only set up deadline when Server.IdleTimeout is positive
• 89f602b http2: validate client/outgoing trailers
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.55.0 to 1.56.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.56.3

Security

• server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487)

  In addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.

Release 1.56.2

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Release 1.56.1

• client: handle empty address lists correctly in addrConn.updateAddrs

Release 1.56.0

New Features

• client: support channel idleness using WithIdleTimeout dial option (#6263)
  • This feature is currently disabled by default, but will be enabled with a 30 minute default in the future.
• client: when using pickfirst, keep channel state in TRANSIENT_FAILURE until it becomes READY (gRFC A62) (#6306)
• xds: Add support for Custom LB Policies (gRFC A52) (#6224)
• xds: support pick_first Custom LB policy (gRFC A62) (#6314) (#6317)
• client: add support for pickfirst address shuffling (gRFC A62) (#6311)
• xds: Add support for String Matcher Header Matcher in RDS (#6313)
• xds/outlierdetection: Add Channelz Logger to Outlier Detection LB (#6145)
  • Special Thanks: @​s-matyukevich
• xds: enable RLS in xDS by default (#6343)
• orca: add support for application_utilization field and missing range checks on several metrics setters
• balancer/weightedroundrobin: add new LB policy for balancing between backends based on their load reports (gRFC A58) (#6241)
• authz: add conversion of json to RBAC Audit Logging config (#6192)
• authz: add support for stdout logger (#6230 and #6298)
• authz: support customizable audit functionality for authorization policy (#6192 #6230 #6298 #6158 #6304 and #6225)

Bug Fixes

• orca: fix a race at startup of out-of-band metric subscriptions that would cause the report interval to request 0 (#6245)
• xds/xdsresource: Fix Outlier Detection Config Handling and correctly set xDS Defaults (#6361)
• xds/outlierdetection: Fix Outlier Detection Config Handling by setting defaults in ParseConfig() (#6361)

API Changes

• orca: allow a ServerMetricsProvider to be passed to the ORCA service and ServerOption (#6223)

Release 1.55.1

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Commits

• 1055b48 Update version.go to 1.56.3 (#6713)
• 5efd7bd server: prohibit more than MaxConcurrentStreams handlers from running at once...
• bd1f038 Upgrade version.go to 1.56.3-dev (#6434)
• faab873 Update version.go to v1.56.2 (#6432)
• 6b0b291 status: fix panic when servers return a wrapped error with status OK (#6374) ...
• ed56401 [PSM interop] Don't fail target if sub-target already failed (#6390) (#6405)
• cd6a794 Update version.go to v1.56.2-dev (#6387)
• 5b67e5e Update version.go to v1.56.1 (#6386)
• d0f5150 client: handle empty address lists correctly in addrConn.updateAddrs (#6354) ...
• 997c1ea Change version to 1.56.1-dev (#6345)
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.30.0 to 1.33.0

Updates github.com/lestrrat-go/jwx from 1.2.26 to 1.2.29

Release notes

Sourced from github.com/lestrrat-go/jwx's releases.

v1.2.29 07 Mar 2024

[Security]

• [jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

  Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

v1.2.28

v1.2.28 09 Jan 2024
[Security Fixes]
  * [jws] JWS messages formated in full JSON format (i.e. not the compact format, which
    consists of three base64 strings concatenated with a '.') with missing "protected"
    headers could cause a panic, thereby introducing a possiblity of a DoS.
This has been fixed so that the `jws.Parse` function succeeds in parsing a JWS message
lacking a protected header. Calling `jws.Verify` on this same JWS message will result
in a failed verification attempt. Note that this behavior will differ slightly when
parsing JWS messages in compact form, which result in an error.

v1.2.27

v1.2.27 - 03 Dec 2023
[Security]
  * [jwe] A large number in p2c parameter for PBKDF2 based encryptions could cause a DoS attack,
    similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083.  All users should upgrade, as
    unlike v2, v1 attempts to decrypt JWEs on JWTs by default.
    [GHSA-7f9x-gw85-8grf]
[Bug Fixes]

[jwk] jwk.Set(jwk.KeyOpsKey, <jwk.KeyOperation>) now works (previously, either
Set(.., <string>) or Set(..., []jwk.KeyOperation{...}) worked, but not a single
jwk.KeyOperation

Changelog

Sourced from github.com/lestrrat-go/jwx's changelog.

v1.2.29 07 Mar 2024

• [jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

  Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

v1.2.28 09 Jan 2024 [Security Fixes]

• [jws] JWS messages formated in full JSON format (i.e. not the compact format, which consists of three base64 strings concatenated with a '.') with missing "protected" headers could cause a panic, thereby introducing a possiblity of a DoS.

  This has been fixed so that the jws.Parse function succeeds in parsing a JWS message lacking a protected header. Calling jws.Verify on this same JWS message will result in a failed verification attempt. Note that this behavior will differ slightly when parsing JWS messages in compact form, which result in an error.

v1.2.27 - 03 Dec 2023 [Security]

• [jwe] A large number in p2c parameter for PBKDF2 based encryptions could cause a DoS attack, similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users should upgrade, as unlike v2, v1 attempts to decrypt JWEs on JWTs by default. [GHSA-7f9x-gw85-8grf]

[Bug Fixes]

• [jwk] jwk.Set(jwk.KeyOpsKey, ) now works (previously, either Set(.., ) or Set(..., []jwk.KeyOperation{...}) worked, but not a single jwk.KeyOperation

Commits

• 1025f8e Merge pull request #1092 from lestrrat-go/develop/v1
• 4399ace Merge branch 'v1' into develop/v1
• dc80fed Update Changes
• e4c1511 silence linter
• d01027d Merge pull request from GHSA-hj3v-m684-v259
• 3d6e0e0 Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#1085)
• 3af5916 Bump golang.org/x/crypto from 0.19.0 to 0.21.0 (#1087)
• 7a05818 Bump golang.org/x/crypto from 0.18.0 to 0.19.0 (#1074)
• 8e2aacd Bump golangci/golangci-lint-action from 3 to 4 (#1076)
• 4b1fd05 Bump kentaro-m/auto-assign-action from 1.2.6 to 2.0.0 (#1068)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.9.0 to 0.21.0

Commits

• 9d2ee97 ssh: implement strict KEX protocol changes
• 4e5a261 ssh: close net.Conn on all NewServerConn errors
• 152cdb1 x509roots/fallback: update bundle
• fdfe1f8 ssh: defer channel window adjustment
• b8ffc16 blake2b: drop Go 1.6, Go 1.8 compatibility
• 7e6fbd8 ssh: wrap errors from client handshake
• bda2f3f argon2: avoid clobbering BP
• 325b735 ssh/test: skip TestSSHCLIAuth on Windows
• 1eadac5 go.mod: update golang.org/x dependencies
• b2d7c26 ssh: add (*Client).DialContext method
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.10.0 to 0.23.0

Commits

• c48da13 http2: fix TestServerContinuationFlood flakes
• 762b58d http2: fix tipos in comment
• ba87210 http2: close connections when receiving too many headers
• ebc8168 all: fix some typos
• 3678185 http2: make TestCanonicalHeaderCacheGrowth faster
• 448c44f http2: remove clientTester
• c7877ac http2: convert the remaining clientTester tests to testClientConn
• d8870b0 http2: use synthetic time in TestIdleConnTimeout
• d73acff http2: only set up deadline when Server.IdleTimeout is positive
• 89f602b http2: validate client/outgoing trailers
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.55.0 to 1.56.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.56.3

Security

• server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487)

  In addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.

Release 1.56.2

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Release 1.56.1

• client: handle empty address lists correctly in addrConn.updateAddrs

Release 1.56.0

New Features

• client: support channel idleness using WithIdleTimeout dial option (#6263)
  • This feature is currently disabled by default, but will be enabled with a 30 minute default in the future.
• client: when using pickfirst, keep channel state in TRANSIENT_FAILURE until it becomes READY (gRFC A62) (#6306)
• xds: Add support for Custom LB Policies (gRFC A52) (#6224)
• xds: support pick_first Custom LB policy (gRFC A62) (#6314) (#6317)
• client: add support for pickfirst address shuffling (gRFC A62) (#6311)
• xds: Add support for String Matcher Header Matcher in RDS (#6313)
• xds/outlierdetection: Add Channelz Logger to Outlier Detection LB (#6145)
  • Special Thanks: @​s-matyukevich
• xds: enable RLS in xDS by default (#6343)
• orca: add support for application_utilization field and missing range checks on several metrics setters
• balancer/weightedroundrobin: add new LB policy for balancing between backends based on their load reports (gRFC A58) (#6241)
• authz: add conversion of json to RBAC Audit Logging config (#6192)
• authz: add support for stdout logger (#6230 and #6298)
• authz: support customizable audit functionality for authorization policy (#6192 #6230 #6298 #6158 #6304 and #6225)

Bug Fixes

• orca: fix a race at startup of out-of-band metric subscriptions that would cause the report interval to request 0 (#6245)
• xds/xdsresource: Fix Outlier Detection Config Handling and correctly set xDS Defaults (#6361)
• xds/outlierdetection: Fix Outlier Detection Config Handling by setting defaults in ParseConfig() (#6361)

API Changes

• orca: allow a ServerMetricsProvider to be passed to the ORCA service and ServerOption (#6223)

Release 1.55.1

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Commits

• 1055b48 Update version.go to 1.56.3 (#6713)
• 5efd7bd server: prohibit more than MaxConcurrentStreams handlers from running at once...
• bd1f038 Upgrade version.go to 1.56.3-dev (#6434)
• faab873 Update version.go to v1.56.2 (#6432)
• 6b0b291 status: fix panic when servers return a wrapped error with status OK (#6374) ...
• ed56401 [PSM interop] Don't fail target if sub-target already failed (#6390) (#6405)
• cd6a794 Update version.go to v1.56.2-dev (#6387)
• 5b67e5e Update version.go to v1.56.1 (#6386)
• d0f5150 client: handle empty address lists correctly in addrConn.updateAddrs (#6354) ...
• 997c1ea Change version to 1.56.1-dev (#6345)
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.30.0 to 1.33.0

Updates github.com/lestrrat-go/jwx from 1.2.26 to 1.2.29

Release notes

Sourced from github.com/lestrrat-go/jwx's releases.

v1.2.29 07 Mar 2024

[Security]

• [jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

  Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

v1.2.28

v1.2.28 09 Jan 2024
[Security Fixes]
  * [jws] JWS messages formated in full JSON format (i.e. not the compact format, which
    consists of three base64 strings concatenated with a '.') with missing "protected"
    headers could cause a panic, thereby introducing a possiblity of a DoS.
This has been fixed so that the `jws.Parse` function succeeds in parsing a JWS message
lacking a protected header. Calling `jws.Verify` on this same JWS message will result
in a failed verification attempt. Note that this behavior will differ slightly when
parsing JWS messages in compact form, which result in an error.

v1.2.27

v1.2.27 - 03 Dec 2023
[Security]
  * [jwe] A large number in p2c parameter for PBKDF2 based encryptions could cause a DoS attack,
    similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083.  All users should upgrade, as
    unlike v2, v1 attempts to decrypt JWEs on JWTs by default.
    [GHSA-7f9x-gw85-8grf]
[Bug Fixes]

[jwk] jwk.Set(jwk.KeyOpsKey, <jwk.KeyOperation>) now works (previously, either
Set(.., <string>) or Set(..., []jwk.KeyOperation{...}) worked, but not a single
jwk.KeyOperation

Changelog

Sourced from github.com/lestrrat-go/jwx's changelog.

v1.2.29 07 Mar 2024

• [jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

  Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

v1.2.28 09 Jan 2024 [Security Fixes]

• [jws] JWS messages formated in full JSON format (i.e. not the compact format, which consists of three base64 strings concatenated with a '.') with missing "protected" headers could cause a panic, thereby introducing a possiblity of a DoS.

  This has been fixed so that the jws.Parse function succeeds in parsing a JWS message lacking a protected header. Calling jws.Verify on this same JWS message will result in a failed verification attempt. Note that this behavior will differ slightly when parsing JWS messages in compact form, which result in an error.

v1.2.27 - 03 Dec 2023 [Security]

• [jwe] A large number in p2c parameter for PBKDF2 based encryptions could cause a DoS attack, similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users should upgrade, as unlike v2, v1 attempts to decrypt JWEs on JWTs by default. [GHSA-7f9x-gw85-8grf]

[Bug Fixes]

• [jwk] jwk.Set(jwk.KeyOpsKey, ) now works (previously, either Set(.., ) or Set(..., []jwk.KeyOperation{...}) worked, but not a single jwk.KeyOperation

Commits

• 1025f8e Merge pull request #1092 from lestrrat-go/develop/v1
• 4399ace Merge branch 'v1' into develop/v1
• dc80fed Update Changes
• e4c1511 silence linter
• d01027d Merge pull request from GHSA-hj3v-m684-v259
• 3d6e0e0 Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#1085)
• 3af5916 Bump golang.org/x/crypto from 0.19.0 to 0.21.0 (#1087)
• 7a05818 Bump golang.org/x/crypto from 0.18.0 to 0.19.0 (#1074)
• 8e2aacd Bump golangci/golangci-lint-action from 3 to 4 (#1076)
• 4b1fd05 Bump kentaro-m/auto-assign-action from 1.2.6 to 2.0.0 (#1068)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.9.0 to 0.21.0

Commits

• 9d2ee97 ssh: implement strict KEX protocol changes
• 4e5a261 ssh: close net.Conn on all NewServerConn errors
• 152cdb1 x509roots/fallback: update bundle
• fdfe1f8 ssh: defer channel window adjustment
• b8ffc16 blake2b: drop Go 1.6, Go 1.8 compatibility
• 7e6fbd8 ssh: wrap errors from client handshake
• bda2f3f argon2: avoid clobbering BP
• 325b735 ssh/test: skip TestSSHCLIAuth on Windows
• 1eadac5 go.mod: update golang.org/x dependencies
• b2d7c26 ssh: add (*Client).DialContext method
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.10.0 to 0.23.0

Commits

• c48da13 http2: fix TestServerContinuationFlood flakes
• 762b58d http2: fix tipos in comment
• ba87210 http2: close connections when receiving too many headers
• ebc8168 all: fix some typos
• 3678185 http2: make TestCanonicalHeaderCacheGrowth faster
• 448c44f http2: remove clientTester
• c7877ac http2: convert the remaining clientTester tests to testClientConn
• d8870b0 http2: use synthetic time in TestIdleConnTimeout
• d73acff http2: only set up deadline when Server.IdleTimeout is positive
• 89f602b http2: validate client/outgoing trailers
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.55.0 to 1.56.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.56.3

Security

• server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487)

  In addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.

Release 1.56.2

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Release 1.56.1

• client: handle empty address lists correctly in addrConn.updateAddrs

Release 1.56.0

New Features

• client: support channel idleness using WithIdleTimeout dial option (#6263)
  • This feature is currently disabled by default, but will be enabled with a 30 minute default in the future.
• client: when using pickfirst, keep channel state in TRANSIENT_FAILURE until it becomes READY (gRFC A62) (#6306)
• xds: Add support for Custom LB Policies (gRFC A52) (#6224)
• xds: support pick_first Custom LB policy (gRFC A62) (#6314) (#6317)
• client: add support for pickfirst address shuffling (gRFC A62) (#6311)
• xds: Add support for String Matcher Header Matcher in RDS (#6313)
• xds/outlierdetection: Add Channelz Logger to Outlier Detection LB (#6145)
  • Special Thanks: @​s-matyukevich
• xds: enable RLS in xDS by default (#6343)
• orca: add support for application_utilization field and missing range checks on several metrics setters
• balancer/weightedroundrobin: add new LB policy for balancing between backends based on their load reports (gRFC A58) (#6241)
• authz: add conversion of json to RBAC Audit Logging config (#6192)
• authz: add support for stdout logger (#6230 and #6298)
• authz: support customizable audit functionality for authorization policy (#6192 #6230 #6298 #6158 #6304 and #6225)

Bug Fixes

• orca: fix a race at startup of out-of-band metric subscriptions that would cause the report interval to request 0 (#6245)
• xds/xdsresource: Fix Outlier Detection Config Handling and correctly set xDS Defaults (#6361)
• xds/outlierdetection: Fix Outlier Detection Config Handling by setting defaults in ParseConfig() (#6361)

API Changes

• orca: allow a ServerMetricsProvider to be passed to the ORCA service and ServerOption (#6223)

Release 1.55.1

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Commits

• 1055b48 Update version.go to 1.56.3 (#6713)
• 5efd7bd server: prohibit more than MaxConcurrentStreams handlers from running at once...
• bd1f038 Upgrade version.go to 1.56.3-dev (#6434)
• faab873 Update version.go to v1.56.2 (#6432)
• 6b0b291 status: fix panic when servers return a wrapped error with status OK (#6374) ...
• ed56401 [PSM interop] Don't fail target if sub-target already failed (#6390) (#6405)
• cd6a794 Update version.go to v1.56.2-dev (#6387)
• 5b67e5e Update version.go to v1.56.1 (#6386)
• d0f5150 client: handle empty address lists correctly in addrConn.updateAddrs (#6354) ...
• 997c1ea Change version to 1.56.1-dev (#6345)
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.30.0 to 1.33.0

Updates github.com/lestrrat-go/jwx from 1.2.26 to 1.2.29

Release notes

Sourced from github.com/lestrrat-go/jwx's releases.

v1.2.29 07 Mar 2024

[Security]

• [jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

  Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

v1.2.28

v1.2.28 09 Jan 2024
[Security Fixes]
  * [jws] JWS messages formated in full JSON format (i.e. not the compact format, which
    consists of three base64 strings concatenated with a '.') with missing "protected"
    headers could cause a panic, thereby introducing a possiblity of a DoS.
This has been fixed so that the `jws.Parse` function succeeds in parsing a JWS message
lacking a protected header. Calling `jws.Verify` on this same JWS message will result
in a failed verification attempt. Note that this behavior will differ slightly when
parsing JWS messages in compact form, which result in an error.

v1.2.27

v1.2.27 - 03 Dec 2023
[Security]
  * [jwe] A large number in p2c parameter for PBKDF2 based encryptions could cause a DoS attack,
    similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083.  All users should upgrade, as
    unlike v2, v1 attempts to decrypt JWEs on JWTs by default.
    [GHSA-7f9x-gw85-8grf]
[Bug Fixes]

[jwk] jwk.Set(jwk.KeyOpsKey, <jwk.KeyOperation>) now works (previously, either
Set(.., <string>) or Set(..., []jwk.KeyOperation{...}) worked, but not a single
jwk.KeyOperation

Changelog

Sourced from github.com/lestrrat-go/jwx's changelog.

v1.2.29 07 Mar 2024

• [jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

  Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

v1.2.28 09 Jan 2024 [Security Fixes]

• [jws] JWS messages formated in full JSON format (i.e. not the compact format, which consists of three base64 strings concatenated with a '.') with missing "protected" headers could cause a panic, thereby introducing a possiblity of a DoS.

  This has been fixed so that the jws.Parse function succeeds in parsing a JWS message lacking a protected header. Calling jws.Verify on this same JWS message will result in a failed verification attempt. Note that this behavior will differ slightly when parsing JWS messages in compact form, which result in an error.

v1.2.27 - 03 Dec 2023 [Security]

• [jwe] A large number in p2c parameter for PBKDF2 based encryptions could cause a DoS attack, similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users should upgrade, as unlike v2, v1 attempts to decrypt JWEs on JWTs by default. [GHSA-7f9x-gw85-8grf]

[Bug Fixes]

• [jwk] jwk.Set(jwk.KeyOpsKey, ) now works (previously, either Set(.., ) or Set(..., []jwk.KeyOperation{...}) worked, but not a single jwk.KeyOperation

Commits

• 1025f8e Merge pull request #1092 from lestrrat-go/develop/v1
• 4399ace Merge branch 'v1' into develop/v1
• dc80fed Update Changes
• e4c1511 silence linter
• d01027d Merge pull request from GHSA-hj3v-m684-v259
• 3d6e0e0 Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#1085)
• 3af5916 Bump golang.org/x/crypto from 0.19.0 to 0.21.0 (#1087)
• 7a05818 Bump golang.org/x/crypto from 0.18.0 to 0.19.0 (#1074)
• 8e2aacd Bump golangci/golangci-lint-action from 3 to 4 (#1076)
• 4b1fd05 Bump kentaro-m/auto-assign-action from 1.2.6 to 2.0.0 (#1068)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.9.0 to 0.21.0

Commits

• 9d2ee97 ssh: implement strict KEX protocol changes
• 4e5a261 ssh: close net.Conn on all NewServerConn errors
• 152cdb1 x509roots/fallback: update bundle
• fdfe1f8 ssh: defer channel window adjustment
• b8ffc16 blake2b: drop Go 1.6, Go 1.8 compatibility
• 7e6fbd8 ssh: wrap errors from client handshake
• bda2f3f argon2: avoid clobbering BP
• 325b735 ssh/test: skip TestSSHCLIAuth on Windows
• 1eadac5 go.mod: update golang.org/x dependencies
• b2d7c26 ssh: add (*Client).DialContext method
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.10.0 to 0.23.0

Commits

• c48da13 http2: fix TestServerContinuationFlood flakes
• 762b58d http2: fix tipos in comment
• ba87210 http2: close connections when receiving too many headers
• ebc8168 all: fix some typos
• 3678185 http2: make TestCanonicalHeaderCacheGrowth faster
• 448c44f http2: remove clientTester
• c7877ac http2: convert the remaining clientTester tests to testClientConn
• d8870b0 http2: use synthetic time in TestIdleConnTimeout
• d73acff http2: only set up deadline when Server.IdleTimeout is positive
• 89f602b http2: validate client/outgoing trailers
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.55.0 to 1.56.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.56.3

Security

• server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487)

  In addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.

Release 1.56.2

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Release 1.56.1

• client: handle empty address lists correctly in addrConn.updateAddrs

Release 1.56.0

New Features

• client: support channel idleness using WithIdleTimeout dial option (#6263)
  • This feature is currently disabled by default, but will be enabled with a 30 minute default in the future.
• client: when using pickfirst, keep channel state in TRANSIENT_FAILURE until it becomes READY (gRFC A62) (#6306)
• xds: Add support for Custom LB Policies (gRFC A52) (#6224)
• xds: support pick_first Custom LB policy (gRFC A62) (#6314) (#6317)
• client: add support for pickfirst address shuffling (gRFC A62) (#6311)
• xds: Add support for String Matcher Header Matcher in RDS (#6313)
• xds/outlierdetection: Add Channelz Logger to Outlier Detection LB (#6145)
  • Special Thanks: @​s-matyukevich
• xds: enable RLS in xDS by default (#6343)
• orca: add support for application_utilization field and missing range checks on several metrics setters
• balancer/weightedroundrobin: add new LB policy for balancing between backends based on their load reports (gRFC A58) (#6241)
• authz: add conversion of json to RBAC Audit Logging config (#6192)
• authz: add support for stdout logger (#6230 and #6298)
• authz: support customizable audit functionality for authorization policy (#6192 #6230 #6298 #6158 #6304 and #6225)

Bug Fixes

• orca: fix a race at startup of out-of-band metric subscriptions that would cause the report interval to request 0 (#6245)
• xds/xdsresource: Fix Outlier Detection Config Handling and correctly set xDS Defaults (#6361)
• xds/outlierdetection: Fix Outlier Detection Config Handling by setting defaults in ParseConfig() (#6361)

API Changes

• orca: allow a ServerMetricsProvider to be passed to the ORCA service and ServerOption (#6223)

Release 1.55.1

• status: To fix a panic, status.FromError now returns an error with codes.Unknown when the error implements the GRPCStatus() method, and calling GRPCStatus() returns nil. (#6374)

Commits

• 1055b48 Update version.go to 1.56.3 (#6713)
• 5efd7bd server: prohibit more than MaxConcurrentStreams handlers from running at once...
• bd1f038 Upgrade version.go to 1.56.3-dev (#6434)
• faab873 Update version.go to v1.56.2 (#6432)
• 6b0b291 status: fix panic when servers return a wrapped error with status OK (#6374) ...
• ed56401 [PSM interop] Don't fail target if sub-target already failed (#6390) (#6405)
• cd6a794 Update version.go to v1.56.2-dev (#6387)