Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security vulnerabilities in two dependencies #1616

Closed
jpollard-cs opened this issue Feb 1, 2022 · 0 comments · Fixed by #1618
Closed

security vulnerabilities in two dependencies #1616

jpollard-cs opened this issue Feb 1, 2022 · 0 comments · Fixed by #1618
Assignees
@andrii-kl
Labels
needs-review issue/PR needs review from maintainer

Comments

@jpollard-cs
Copy link

jpollard-cs commented Feb 1, 2022
edited
Loading

security vulnerabilities in two dependencies

two dependencies contain security vulnerabilities

Issue_description

I found the following vulnerabilities on running a Snyk scan

  ✗ Use After Free [High Severity][https://snyk.io/vuln/SNYK-JAVA-COMGITHUBJNR-1570422] in com.github.jnr:jnr-posix@3.0.47
    introduced by org.web3j:core@4.8.7 > com.github.jnr:jnr-unixsocket@0.21 > com.github.jnr:jnr-posix@3.0.47
  This issue was fixed in versions: 3.1.8
  ✗ Improper Validation of Certificate with Host Mismatch [High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGJAVAWEBSOCKET-568685] in org.java-websocket:Java-WebSocket@1.3.8
    introduced by org.web3j:core@4.8.7 > org.java-websocket:Java-WebSocket@1.3.8
  This issue was fixed in versions: 1.5.0

In summary

  • com.github.jnr:jnr-unixsocket@0.21 has a vulnerability via com.github.jnr:jnr-posix@3.0.47 and it appears the latest version has been upgraded to jnr-posix 3.1.15
  • org.java-websocket:Java-WebSocket@1.3.8 has a vulnerability that was fixed in version 1.5.0

upgrading these packages should solve these issues

Issue_context

N/A
@jpollard-cs jpollard-cs added the needs-review issue/PR needs review from maintainer label Feb 1, 2022
@jpollard-cs jpollard-cs changed the title security vulnerabilities in three dependencies security vulnerabilities in two dependencies Feb 1, 2022
andrii-kl added a commit to andrii-kl/web3j that referenced this issue Feb 3, 2022
@andrii-kl
368 upgrade jnr unixsocket to 0.38.17 (fix CVE-2020-15250) (hyperledg…
0337e54 
…er-web3j#1616)
@andrii-kl andrii-kl linked a pull request Feb 3, 2022 that will close this issue
368 upgrade jnr unixsocket to 0.38.17 (fix CVE-2020-15250) (#1616) #1618
Merged
@andrii-kl andrii-kl self-assigned this Feb 3, 2022
AlexandrouR pushed a commit that referenced this issue Feb 7, 2022
@andrii-kl
368 upgrade jnr unixsocket to 0.38.17 (fix CVE-2020-15250) (#1616) (#…
047cb25 
…1618)
@diega diega mentioned this issue Apr 21, 2022
Merged
2 tasks
diega added a commit to diega/besu that referenced this issue Apr 22, 2022
@diega
Upgrade web3j 4.8.1 -> 4.9.0
99df789 
I'm not upgrading to 4.9.1 because at the time of this commit, there is no 4.9.1 version of the Gradle plugin and I would prefer to keep both of them in sync. 4.9.0 is good enough because it upgrades the `jnr-unixsocket` dependency which carries the upgraded version of `jnr-posix` [fixing the CVE](hyperledger-web3j/web3j#1616) for which it is was excluded previously from Besu

Signed-off-by: Diego López León <dieguitoll@gmail.com>
diega added a commit to diega/besu that referenced this issue Apr 22, 2022
@diega
Upgrade web3j 4.8.1 -> 4.9.0
9889764 
I'm not upgrading to 4.9.1 because at the time of this commit, there is no 4.9.1 version of the Gradle plugin and I would prefer to keep both of them in sync. 4.9.0 is good enough because it upgrades the `jnr-unixsocket` dependency which carries the upgraded version of `jnr-posix` [fixing the CVE](hyperledger-web3j/web3j#1616) for which it is was excluded previously from Besu

Signed-off-by: Diego López León <dieguitoll@gmail.com>
diega added a commit to diega/besu that referenced this issue May 11, 2022
@diega
Upgrade web3j 4.8.1 -> 4.9.0
bcde83a 
I'm not upgrading to 4.9.1 because at the time of this commit, there is no 4.9.1 version of the Gradle plugin and I would prefer to keep both of them in sync. 4.9.0 is good enough because it upgrades the `jnr-unixsocket` dependency which carries the upgraded version of `jnr-posix` [fixing the CVE](hyperledger-web3j/web3j#1616) for which it is was excluded previously from Besu

Signed-off-by: Diego López León <dieguitoll@gmail.com>
diega added a commit to diega/besu that referenced this issue May 11, 2022
@diega
Upgrade web3j 4.8.1 -> 4.9.0
ea1c9cc 
I'm not upgrading to 4.9.1 because at the time of this commit, there is no 4.9.1 version of the Gradle plugin and I would prefer to keep both of them in sync. 4.9.0 is good enough because it upgrades the `jnr-unixsocket` dependency which carries the upgraded version of `jnr-posix` [fixing the CVE](hyperledger-web3j/web3j#1616) for which it is was excluded previously from Besu

Signed-off-by: Diego López León <dieguitoll@gmail.com>
antonydenyer pushed a commit to diega/besu that referenced this issue Jul 12, 2022
@diega @antonydenyer
Upgrade web3j 4.8.1 -> 4.9.0
f975f91 
I'm not upgrading to 4.9.1 because at the time of this commit, there is no 4.9.1 version of the Gradle plugin and I would prefer to keep both of them in sync. 4.9.0 is good enough because it upgrades the `jnr-unixsocket` dependency which carries the upgraded version of `jnr-posix` [fixing the CVE](hyperledger-web3j/web3j#1616) for which it is was excluded previously from Besu

Signed-off-by: Diego López León <dieguitoll@gmail.com>
antonydenyer pushed a commit to diega/besu that referenced this issue Jul 12, 2022
@diega @antonydenyer
Upgrade web3j 4.8.1 -> 4.9.0
0ca37ef 
I'm not upgrading to 4.9.1 because at the time of this commit, there is no 4.9.1 version of the Gradle plugin and I would prefer to keep both of them in sync. 4.9.0 is good enough because it upgrades the `jnr-unixsocket` dependency which carries the upgraded version of `jnr-posix` [fixing the CVE](hyperledger-web3j/web3j#1616) for which it is was excluded previously from Besu

Signed-off-by: Diego López León <dieguitoll@gmail.com>
Signed-off-by: Antony Denyer <git@antonydenyer.co.uk>
diega added a commit to diega/besu that referenced this issue Jul 12, 2022
@diega
Upgrade web3j 4.8.1 -> 4.9.0
917267d 
I'm not upgrading to 4.9.1 because at the time of this commit, there is no 4.9.1 version of the Gradle plugin and I would prefer to keep both of them in sync. 4.9.0 is good enough because it upgrades the `jnr-unixsocket` dependency which carries the upgraded version of `jnr-posix` [fixing the CVE](hyperledger-web3j/web3j#1616) for which it is was excluded previously from Besu

Signed-off-by: Diego López León <dieguitoll@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrii-kl andrii-kl

Labels
needs-review issue/PR needs review from maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

368 upgrade jnr unixsocket to 0.38.17 (fix CVE-2020-15250) (#1616) andrii-kl/web3j
2 participants
@jpollard-cs @andrii-kl