Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies to mitigate CVE-2023-44487 #661

Merged
merged 5 commits into from
Dec 7, 2023
Merged

Update dependencies to mitigate CVE-2023-44487 #661

merged 5 commits into from
Dec 7, 2023

Conversation

bestbeforetoday
Copy link
Member

@bestbeforetoday bestbeforetoday commented Dec 2, 2023
edited
Loading

This vulnerability can be exploited in gRPC servers (not clients) so should not directly impact the Fabric Gateway client API. However, updates to gRPC Java dependencies enables compatibility with Netty version 4.1.101.Final, which contains mitigations to this vulnerability and supports client applications that also expose gRPC services.

See:

Also:

  • Update dependency-check-maven to avoid use of sunset NVD data-feed.
  • Update Go dependencies.
  • Update Node dev-dependencies.
  • Use GitHub actions/setup-java@v4.
  • Fix deadlock in Java 8 / 11 eventing tests.

Closes #659
Closes #660

@bestbeforetoday
Update dependencies to mitigate CVE-2023-44487
3fdbf97 
This vulnerability can be exploited in gRPC servers (not clients) so should not directly impact the Fabric Gateway client API. However, updates to gRPC Java dependencies enables compatibility with Netty version 4.1.101.Final, which contains mitigations to this vulnerability and supports client applications that also expose gRPC services.

See:

- https://github.com/grpc/grpc-java/releases/tag/v1.59.1
- grpc/grpc-java#10617

Also update dependency-check-maven to avoid use of sunset NVD data-feed.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday
Update Go dependencies
2249abb 
Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday
Update Node dependencies
3d5770e 
Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday
Use GitHub actions/setup-java@v4
633e073 
Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday bestbeforetoday force-pushed the CVE-2023-44487 branch 5 times, most recently from a98927b to 41aa93a Compare December 2, 2023 16:38
@bestbeforetoday bestbeforetoday marked this pull request as ready for review December 2, 2023 16:57
@bestbeforetoday bestbeforetoday requested a review from a team as a code owner December 2, 2023 16:57
@bestbeforetoday bestbeforetoday enabled auto-merge (rebase) December 2, 2023 16:57
@bestbeforetoday bestbeforetoday force-pushed the CVE-2023-44487 branch 5 times, most recently from 8c1136f to 4fd6604 Compare December 3, 2023 00:10
@bestbeforetoday
Use explicit ExecutorService for Java event listening tests
0976419 
Avoid exhausting the ForkJoin.commonPool() in constrained environments, which can cause deadlocks.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday bestbeforetoday merged commit 6adf0de into hyperledger:main Dec 7, 2023
26 checks passed
@bestbeforetoday bestbeforetoday deleted the CVE-2023-44487 branch December 7, 2023 08:41
@bhaskar-allam bhaskar-allam mentioned this pull request Oct 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew-coleman andrew-coleman andrew-coleman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Scenario test failures with Java 8 and 11 Update (or remove) dependency-check-maven
2 participants
@bestbeforetoday @andrew-coleman