Skip to content

CVEs fixes (especially protobuf-java) #1832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yazgoo opened this issue Mar 6, 2025 · 4 comments
Open

CVEs fixes (especially protobuf-java) #1832

yazgoo opened this issue Mar 6, 2025 · 4 comments

Comments

@yazgoo
Copy link

yazgoo commented Mar 6, 2025
edited
Loading

Hello

I see that 1.0.0 alpha fixes a lot of CVEs (especially CVE-2024-7254).
I have two questions:

  • do you have an idea on when you will be able to release the non-alpha version ?
  • do you plan to backport some CVEs fixes to 0.11 ? I'm thinking mainly about CVE-2024-7254 (which could be fixed while remaining on protobuf 3)

I asked this on the mailing list but did not get answers.

Thank you !
@thesamet
Copy link
Contributor

thesamet commented Mar 6, 2025

Hi @yazgoo , ScalaPB is not affected by CVE-2024-7254 as it has its own code for parsing unknown fields. If you do have Java code that relies on that, you should directly depend on protobuf-java and use an affected version.

Regardless, I'll cut a release in the coming days to bump up dependencies - it's been a while.

@yazgoo
Copy link
Author

yazgoo commented Mar 7, 2025

Thanks !

@pjfanning
Copy link
Contributor

@thesamet would you have time to publish a new 1 pre-release or release?

@bannopeter
Copy link

+1 for an updated release please, CVE-2024-7254 Dependabots coming due 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yazgoo @thesamet @pjfanning @bannopeter