From 2f5b0b4f3aacf79c8aaf11856572ad4d17153471 Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Thu, 7 May 2026 15:26:46 -0600 Subject: [PATCH 1/3] go: resolve GHSA-wf45-q9ch-q8gh by upgrading github.com/apache/thrift (#14581) (#14628) * go: resolve GHSA-wf45-q9ch-q8gh by upgrading github.com/apache/thrift `github.com/apache/thrift` is required for the snowflake plugin. I've updated that upstream[0] so this change is only necessary to get past the scanner until a new version of the snowflake plugin is released and we've updated our pin. Using v0.23.0 was actually not possible since there's an overflow on 32 bit architectures. Instead, we use the first commit since the release that fixes that issue.[1] [0]:https://github.com/hashicorp/vault-plugin-database-snowflake/pull/181 [1]:https://github.com/apache/thrift/pull/3428 Signed-off-by: Ryan Cragun Co-authored-by: Ryan Cragun --- changelog/_14581.txt | 3 +++ go.mod | 4 +++- go.sum | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 changelog/_14581.txt diff --git a/changelog/_14581.txt b/changelog/_14581.txt new file mode 100644 index 0000000000..f0a5c600ed --- /dev/null +++ b/changelog/_14581.txt @@ -0,0 +1,3 @@ +```release-note:security +core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh +``` diff --git a/go.mod b/go.mod index 7d9b5c401b..ab165fccaf 100644 --- a/go.mod +++ b/go.mod @@ -245,7 +245,9 @@ require ( require ( github.com/andybalholm/brotli v1.2.0 // indirect - github.com/apache/thrift v0.22.0 // indirect + // We're currently pulling v0.23.0 + a 32 bit fix: https://github.com/apache/thrift/commit/d2acd3c49e5832cb0179f72b111c4ad5bd89c4c5 + // until a new version is release. + github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect github.com/containerd/errdefs v1.0.0 // indirect diff --git a/go.sum b/go.sum index 5e1125eb6d..678154846d 100644 --- a/go.sum +++ b/go.sum @@ -184,8 +184,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/apache/arrow-go/v18 v18.4.0 h1:/RvkGqH517iY8bZKc4FD5/kkdwXJGjxf28JIXbJ/oB0= github.com/apache/arrow-go/v18 v18.4.0/go.mod h1:Aawvwhj8x2jURIzD9Moy72cF0FyJXOpkYpdmGRHcw14= -github.com/apache/thrift v0.22.0 h1:r7mTJdj51TMDe6RtcmNdQxgn9XcyfGDOzegMDRg47uc= -github.com/apache/thrift v0.22.0/go.mod h1:1e7J/O1Ae6ZQMTYdy9xa3w9k+XHWPfRvdPyJeynQ+/g= +github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58 h1:rDLE+tSW60VzRD7v5I+DU22Mjhmm+mfLc5Xl5dHkx6w= +github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58/go.mod h1:zPt6WxgvTOM6hF92y8C+MkEM5LMxZuk4JcQOiU4Esvs= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2 h1:VoHKYIXEQU5LWoambPBOvYxyLqZYHuj+rj5DVnMUc3k= From 23eec51fc1e71d414ee407489b2f759de808b88c Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Thu, 7 May 2026 15:41:18 -0600 Subject: [PATCH 2/3] move helper function to backend_test so as not to be ENT or CE specific (#14619) (#14635) Co-authored-by: Scott Miller --- builtin/logical/pki/backend_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 9a89eb02c9..6b4833c306 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -8321,3 +8321,7 @@ func TestBackend_IDNWithWildcards_AltNames(t *testing.T) { }) } } + +func stringSliceContainsAny(sl []string, substr string) bool { + return slices.ContainsFunc(sl, func(s string) bool { return strings.Contains(s, substr) }) +} From d3f132c121dc532e3a3e585e7d2ab8fb3853c1d2 Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Thu, 7 May 2026 15:59:31 -0600 Subject: [PATCH 3/3] [VAULT-44808] override the workflow token when downloading nfpm We've been seeing Github throw 500s a lot today when downloading nfpm. My assumption is that this is due to throttling while Github works to resolve their platform reliability. Instead of relying on the default workflow token which has a lower priority than users, use the service user token when calling the action that downloads nfpm to package Vault. Signed-off-by: Ryan Cragun Co-authored-by: Ryan Cragun --- .github/actions/build-vault/action.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/actions/build-vault/action.yml b/.github/actions/build-vault/action.yml index 215ad37415..4925939674 100644 --- a/.github/actions/build-vault/action.yml +++ b/.github/actions/build-vault/action.yml @@ -224,6 +224,10 @@ runs: path: out/${{ steps.metadata.outputs.artifact-basename }}.zip if-no-files-found: error - if: inputs.create-packages == 'true' + env: + # Use our elevated token instead of the workflow token so that our + # download of nfpm is less likely to fail. + GH_TOKEN: ${{ inputs.github-token }} uses: hashicorp/actions-packaging-linux@33f7d23b14f24e6a7b7d9948cb7f5caca2045ee3 with: name: ${{ inputs.package-name }}