Tags: google/osv.dev
Tags
test: update apitester snapshots (#5096) The snapshots have changed, probably due to OSV advisories being changed. Please review the differences to make sure that they're expected!
chore(deps): bump the pip group across 4 directories with 1 update (#… …5079) Bumps the pip group with 1 update in the /gcp/api directory: [pyasn1](https://github.com/pyasn1/pyasn1). Bumps the pip group with 1 update in the /gcp/functions/pypi directory: [pyasn1](https://github.com/pyasn1/pyasn1). Bumps the pip group with 1 update in the /gcp/workers/oss_fuzz_worker directory: [pyasn1](https://github.com/pyasn1/pyasn1). Bumps the pip group with 1 update in the /gcp/workers/worker directory: [pyasn1](https://github.com/pyasn1/pyasn1). Updates `pyasn1` from 0.6.2 to 0.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pyasn1/pyasn1/releases">pyasn1's releases</a>.</em></p> <blockquote> <h2>Release 0.6.3</h2> <p>It's a minor release.</p> <ul> <li>Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).</li> <li>Fixed OverflowError from oversized BER length field.</li> <li>Fixed DeprecationWarning stacklevel for deprecated attributes.</li> <li>Fixed asDateTime incorrect fractional seconds parsing.</li> </ul> <p>All changes are noted in the <a href="https://github.com/pyasn1/pyasn1/blob/master/CHANGES.rst">CHANGELOG</a>.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst">pyasn1's changelog</a>.</em></p> <blockquote> <h2>Revision 0.6.3, released 16-03-2026</h2> <ul> <li>CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)</li> <li>Fixed OverflowError from oversized BER length field [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/54">#54</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/54">pyasn1/pyasn1#54</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/100">#100</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/100">pyasn1/pyasn1#100</a>)</li> <li>Fixed DeprecationWarning stacklevel for deprecated attributes [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/86">#86</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/86">pyasn1/pyasn1#86</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/101">#101</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/101">pyasn1/pyasn1#101</a>)</li> <li>Fixed asDateTime incorrect fractional seconds parsing [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/81">#81</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/81">pyasn1/pyasn1#81</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/102">#102</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/102">pyasn1/pyasn1#102</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyasn1/pyasn1/commit/af65c3b92e9deeae50db4de390982dd970d87f98"><code>af65c3b</code></a> Prepare release 0.6.3</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8"><code>5a49bd1</code></a> Merge commit from fork</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/5494ba43f738e700ca9f7c7a69ec5c44908c9a9f"><code>5494ba4</code></a> Fix asDateTime incorrect fractional seconds parsing (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/102">#102</a>)</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/71f486e6c32d0f270868aa1b2bb5ceb7d5fd5476"><code>71f486e</code></a> Fix DeprecationWarning stacklevel for deprecated attributes (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/101">#101</a>)</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/d7cb42dcaa9a66e18f14c4609c2ed00c5b65f7e8"><code>d7cb42d</code></a> Fix OverflowError from oversized BER length field (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/100">#100</a>)</li> <li>See full diff in <a href="https://github.com/pyasn1/pyasn1/compare/v0.6.2...v0.6.3">compare view</a></li> </ul> </details> <br /> Updates `pyasn1` from 0.6.2 to 0.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pyasn1/pyasn1/releases">pyasn1's releases</a>.</em></p> <blockquote> <h2>Release 0.6.3</h2> <p>It's a minor release.</p> <ul> <li>Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).</li> <li>Fixed OverflowError from oversized BER length field.</li> <li>Fixed DeprecationWarning stacklevel for deprecated attributes.</li> <li>Fixed asDateTime incorrect fractional seconds parsing.</li> </ul> <p>All changes are noted in the <a href="https://github.com/pyasn1/pyasn1/blob/master/CHANGES.rst">CHANGELOG</a>.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst">pyasn1's changelog</a>.</em></p> <blockquote> <h2>Revision 0.6.3, released 16-03-2026</h2> <ul> <li>CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)</li> <li>Fixed OverflowError from oversized BER length field [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/54">#54</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/54">pyasn1/pyasn1#54</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/100">#100</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/100">pyasn1/pyasn1#100</a>)</li> <li>Fixed DeprecationWarning stacklevel for deprecated attributes [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/86">#86</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/86">pyasn1/pyasn1#86</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/101">#101</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/101">pyasn1/pyasn1#101</a>)</li> <li>Fixed asDateTime incorrect fractional seconds parsing [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/81">#81</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/81">pyasn1/pyasn1#81</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/102">#102</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/102">pyasn1/pyasn1#102</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyasn1/pyasn1/commit/af65c3b92e9deeae50db4de390982dd970d87f98"><code>af65c3b</code></a> Prepare release 0.6.3</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8"><code>5a49bd1</code></a> Merge commit from fork</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/5494ba43f738e700ca9f7c7a69ec5c44908c9a9f"><code>5494ba4</code></a> Fix asDateTime incorrect fractional seconds parsing (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/102">#102</a>)</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/71f486e6c32d0f270868aa1b2bb5ceb7d5fd5476"><code>71f486e</code></a> Fix DeprecationWarning stacklevel for deprecated attributes (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/101">#101</a>)</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/d7cb42dcaa9a66e18f14c4609c2ed00c5b65f7e8"><code>d7cb42d</code></a> Fix OverflowError from oversized BER length field (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/100">#100</a>)</li> <li>See full diff in <a href="https://github.com/pyasn1/pyasn1/compare/v0.6.2...v0.6.3">compare view</a></li> </ul> </details> <br /> Updates `pyasn1` from 0.6.2 to 0.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pyasn1/pyasn1/releases">pyasn1's releases</a>.</em></p> <blockquote> <h2>Release 0.6.3</h2> <p>It's a minor release.</p> <ul> <li>Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).</li> <li>Fixed OverflowError from oversized BER length field.</li> <li>Fixed DeprecationWarning stacklevel for deprecated attributes.</li> <li>Fixed asDateTime incorrect fractional seconds parsing.</li> </ul> <p>All changes are noted in the <a href="https://github.com/pyasn1/pyasn1/blob/master/CHANGES.rst">CHANGELOG</a>.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst">pyasn1's changelog</a>.</em></p> <blockquote> <h2>Revision 0.6.3, released 16-03-2026</h2> <ul> <li>CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)</li> <li>Fixed OverflowError from oversized BER length field [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/54">#54</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/54">pyasn1/pyasn1#54</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/100">#100</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/100">pyasn1/pyasn1#100</a>)</li> <li>Fixed DeprecationWarning stacklevel for deprecated attributes [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/86">#86</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/86">pyasn1/pyasn1#86</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/101">#101</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/101">pyasn1/pyasn1#101</a>)</li> <li>Fixed asDateTime incorrect fractional seconds parsing [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/81">#81</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/81">pyasn1/pyasn1#81</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/102">#102</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/102">pyasn1/pyasn1#102</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyasn1/pyasn1/commit/af65c3b92e9deeae50db4de390982dd970d87f98"><code>af65c3b</code></a> Prepare release 0.6.3</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8"><code>5a49bd1</code></a> Merge commit from fork</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/5494ba43f738e700ca9f7c7a69ec5c44908c9a9f"><code>5494ba4</code></a> Fix asDateTime incorrect fractional seconds parsing (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/102">#102</a>)</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/71f486e6c32d0f270868aa1b2bb5ceb7d5fd5476"><code>71f486e</code></a> Fix DeprecationWarning stacklevel for deprecated attributes (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/101">#101</a>)</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/d7cb42dcaa9a66e18f14c4609c2ed00c5b65f7e8"><code>d7cb42d</code></a> Fix OverflowError from oversized BER length field (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/100">#100</a>)</li> <li>See full diff in <a href="https://github.com/pyasn1/pyasn1/compare/v0.6.2...v0.6.3">compare view</a></li> </ul> </details> <br /> Updates `pyasn1` from 0.6.2 to 0.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pyasn1/pyasn1/releases">pyasn1's releases</a>.</em></p> <blockquote> <h2>Release 0.6.3</h2> <p>It's a minor release.</p> <ul> <li>Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).</li> <li>Fixed OverflowError from oversized BER length field.</li> <li>Fixed DeprecationWarning stacklevel for deprecated attributes.</li> <li>Fixed asDateTime incorrect fractional seconds parsing.</li> </ul> <p>All changes are noted in the <a href="https://github.com/pyasn1/pyasn1/blob/master/CHANGES.rst">CHANGELOG</a>.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst">pyasn1's changelog</a>.</em></p> <blockquote> <h2>Revision 0.6.3, released 16-03-2026</h2> <ul> <li>CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)</li> <li>Fixed OverflowError from oversized BER length field [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/54">#54</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/54">pyasn1/pyasn1#54</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/100">#100</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/100">pyasn1/pyasn1#100</a>)</li> <li>Fixed DeprecationWarning stacklevel for deprecated attributes [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/86">#86</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/86">pyasn1/pyasn1#86</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/101">#101</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/101">pyasn1/pyasn1#101</a>)</li> <li>Fixed asDateTime incorrect fractional seconds parsing [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/81">#81</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/81">pyasn1/pyasn1#81</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/102">#102</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/102">pyasn1/pyasn1#102</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyasn1/pyasn1/commit/af65c3b92e9deeae50db4de390982dd970d87f98"><code>af65c3b</code></a> Prepare release 0.6.3</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8"><code>5a49bd1</code></a> Merge commit from fork</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/5494ba43f738e700ca9f7c7a69ec5c44908c9a9f"><code>5494ba4</code></a> Fix asDateTime incorrect fractional seconds parsing (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/102">#102</a>)</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/71f486e6c32d0f270868aa1b2bb5ceb7d5fd5476"><code>71f486e</code></a> Fix DeprecationWarning stacklevel for deprecated attributes (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/101">#101</a>)</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/d7cb42dcaa9a66e18f14c4609c2ed00c5b65f7e8"><code>d7cb42d</code></a> Fix OverflowError from oversized BER length field (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/100">#100</a>)</li> <li>See full diff in <a href="https://github.com/pyasn1/pyasn1/compare/v0.6.2...v0.6.3">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/google/osv.dev/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix(ksm): double memory limits to prevent OOM (#5056) This PR increases the memory resources for the `kube-state-metric` container. The container was failing with exit code 137, indicating it was being terminated due to Out-Of-Memory issues. The memory requests and limits for the `kube-state-metric` container in `deployment/clouddeploy/gke-workers/base/ksm_stateful_set.yaml` have been doubled: - Memory Request: 190Mi -> 380Mi - Memory Limit: 250Mi -> 500Mi
fix: introduced isn't required (#5040) This was causing records whose introduced tag doesn't resolve but their fixed tag resolving to just give unresolved ranges instead of setting introduced to 0 Example: https://api.osv.dev/v1/vulns/CVE-2024-2002 -> 0.1.0 doesnt resolve a commit because it doesnt exist on the repo for some reason, but 0.9.2 does resolve a commit. therefore introduced = "" and it doesnt save the 0.9.2 commit that was extracted
refactor(vulnfeeds): move cvelist2osv into conversion/cve5 subdirecto… …ry (#5036) this just keep things a little more consistent
fix: reset security context (#4989) This is not really needed, as we can remove most oss-fuzz code, but for safety going to revert this change temporarily before the release.
fix(vulnfeeds): Cache patch (#4876) Sometimes vendor product combinations in the VPRepoCache are given "successful" repos in its cache that are unrelated to the project. I believe this is to do with how larger projects that are affected by the vuln (like Debian/RH etc) are also added to the record. With the cache, if a record earlier on resolves a repo, but saves it to a Vendor Product that is unrelated, this might cause a bad cache entry. This unfortunately might slow things down but its better than bad misses.
fix: update api tests (#4843) Python tests were manually updated. Cassette tests using make update-api-snapshots
test: update apitester snapshots (#4803) The snapshots have changed, probably due to OSV advisories being changed. Please review the differences to make sure that they're expected!
chore: update Go to v1.25.7 in docs, lint, CI workflow (#4782) Bumping Go to v1.25.7 because of vuln reported by osv-scanner. ``` +------------------------------+------+-----------+---------+---------+---------------+-------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +------------------------------+------+-----------+---------+---------+---------------+-------------+ | https://osv.dev/GO-2026-4337 | | Go | stdlib | 1.25.6 | 1.25.7 | docs/go.mod | +------------------------------+------+-----------+---------+---------+---------------+-------------+ ```
PreviousNext