Skip to content

chore(deps): bump github.com/russellhaering/gosaml2 from 0.10.0 to 0.11.0#19491

Merged
rhacs-bot merged 1 commit intomasterfrom
dependabot/go_modules/github.com/russellhaering/gosaml2-0.11.0
Mar 19, 2026
Merged

chore(deps): bump github.com/russellhaering/gosaml2 from 0.10.0 to 0.11.0#19491
rhacs-bot merged 1 commit intomasterfrom
dependabot/go_modules/github.com/russellhaering/gosaml2-0.11.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 18, 2026

Bumps github.com/russellhaering/gosaml2 from 0.10.0 to 0.11.0.

Release notes

Sourced from github.com/russellhaering/gosaml2's releases.

v0.11.0

What's Changed

Security

  • Reject unsigned SAML LogoutRequest when signature validation is enabled. Previously, ValidateEncodedLogoutRequestPOST silently accepted unsigned requests even when SkipSignatureValidation was false. (GHSA-pcgw-qcv5-h8ch)
  • Security hardening: CBC bounds check to prevent panics from crafted ciphertext, replaced panic() calls with error returns, and assertion signatures within a signed Response envelope are now verified when present (previously they were skipped entirely, which could allow XML wrapping attacks)

Other

  • Add oss-fuzz integration
  • Bump minimum Go version to 1.25
  • Update dependencies: goxmldsig v1.6.0, etree v1.6.0, testify v1.11.1
  • Bump all GitHub Actions to latest versions

Full Changelog: russellhaering/gosaml2@v0.10.0...v0.11.0

Commits
  • 636e7dd Bump all GitHub Actions to latest versions
  • 1e9cc44 Bump minimum Go version to 1.25 and update dependencies
  • 7159bbe Reject unsigned LogoutRequest when signature validation is enabled
  • 4ddcc82 Security hardening: CBC bounds check, panic removal, assertion signature veri...
  • d57d105 Add oss-fuzz integration
  • e8596e7 Fix tests broken by expired IDP test certificate
  • 5d20d42 Bump github.com/beevik/etree from 1.5.0 to 1.5.1 (#212)
  • 115aa21 Bump github/codeql-action from 3.28.12 to 3.28.17
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump github.com/russellhaering/gosaml2
3404580 
Bumps [github.com/russellhaering/gosaml2](https://github.com/russellhaering/gosaml2) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/russellhaering/gosaml2/releases)
- [Commits](russellhaering/gosaml2@v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: github.com/russellhaering/gosaml2
  dependency-version: 0.11.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added auto-merge Auto-merge minor and patch version bumps auto-retest PRs with this label will be automatically retested if prow checks fails labels Mar 18, 2026
@dependabot dependabot bot requested a review from a team as a code owner March 18, 2026 20:31
@dependabot dependabot bot added ci-all-qa-tests Tells CI to run all API tests (not just BAT). dependencies Pull requests that update a dependency file auto-merge Auto-merge minor and patch version bumps auto-retest PRs with this label will be automatically retested if prow checks fails labels Mar 18, 2026
@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 18, 2026

Images are ready for the commit at 3404580.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-375-g3404580463.

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 18, 2026

/retest

@rhacs-bot rhacs-bot enabled auto-merge (squash) March 19, 2026 01:42
@rhacs-bot rhacs-bot merged commit 25273a0 into master Mar 19, 2026
97 checks passed
@rhacs-bot rhacs-bot deleted the dependabot/go_modules/github.com/russellhaering/gosaml2-0.11.0 branch March 19, 2026 01:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhacs-bot rhacs-bot rhacs-bot approved these changes

Assignees

No one assigned

Labels

auto-merge Auto-merge minor and patch version bumps auto-retest PRs with this label will be automatically retested if prow checks fails ci-all-qa-tests Tells CI to run all API tests (not just BAT). dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rhacs-bot