From 2f5b0b4f3aacf79c8aaf11856572ad4d17153471 Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Thu, 7 May 2026 15:26:46 -0600 Subject: [PATCH] go: resolve GHSA-wf45-q9ch-q8gh by upgrading github.com/apache/thrift (#14581) (#14628) * go: resolve GHSA-wf45-q9ch-q8gh by upgrading github.com/apache/thrift `github.com/apache/thrift` is required for the snowflake plugin. I've updated that upstream[0] so this change is only necessary to get past the scanner until a new version of the snowflake plugin is released and we've updated our pin. Using v0.23.0 was actually not possible since there's an overflow on 32 bit architectures. Instead, we use the first commit since the release that fixes that issue.[1] [0]:https://github.com/hashicorp/vault-plugin-database-snowflake/pull/181 [1]:https://github.com/apache/thrift/pull/3428 Signed-off-by: Ryan Cragun Co-authored-by: Ryan Cragun --- changelog/_14581.txt | 3 +++ go.mod | 4 +++- go.sum | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 changelog/_14581.txt diff --git a/changelog/_14581.txt b/changelog/_14581.txt new file mode 100644 index 0000000000..f0a5c600ed --- /dev/null +++ b/changelog/_14581.txt @@ -0,0 +1,3 @@ +```release-note:security +core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh +``` diff --git a/go.mod b/go.mod index 7d9b5c401b..ab165fccaf 100644 --- a/go.mod +++ b/go.mod @@ -245,7 +245,9 @@ require ( require ( github.com/andybalholm/brotli v1.2.0 // indirect - github.com/apache/thrift v0.22.0 // indirect + // We're currently pulling v0.23.0 + a 32 bit fix: https://github.com/apache/thrift/commit/d2acd3c49e5832cb0179f72b111c4ad5bd89c4c5 + // until a new version is release. + github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect github.com/containerd/errdefs v1.0.0 // indirect diff --git a/go.sum b/go.sum index 5e1125eb6d..678154846d 100644 --- a/go.sum +++ b/go.sum @@ -184,8 +184,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/apache/arrow-go/v18 v18.4.0 h1:/RvkGqH517iY8bZKc4FD5/kkdwXJGjxf28JIXbJ/oB0= github.com/apache/arrow-go/v18 v18.4.0/go.mod h1:Aawvwhj8x2jURIzD9Moy72cF0FyJXOpkYpdmGRHcw14= -github.com/apache/thrift v0.22.0 h1:r7mTJdj51TMDe6RtcmNdQxgn9XcyfGDOzegMDRg47uc= -github.com/apache/thrift v0.22.0/go.mod h1:1e7J/O1Ae6ZQMTYdy9xa3w9k+XHWPfRvdPyJeynQ+/g= +github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58 h1:rDLE+tSW60VzRD7v5I+DU22Mjhmm+mfLc5Xl5dHkx6w= +github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58/go.mod h1:zPt6WxgvTOM6hF92y8C+MkEM5LMxZuk4JcQOiU4Esvs= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2 h1:VoHKYIXEQU5LWoambPBOvYxyLqZYHuj+rj5DVnMUc3k=