Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google protobuf vulnerability #4584

Closed
gregallen opened this issue Sep 20, 2024 · 3 comments
Closed

Google protobuf vulnerability #4584

gregallen opened this issue Sep 20, 2024 · 3 comments

Comments

@gregallen
Copy link

Please could you upgrade to 3.25.5?

CVE-2024-7254
@caesaryuan
Copy link

Support of 3.25.x will end on 31 Mar 2026, it would be great to upgrade to 4.x soon.

copybara-service bot pushed a commit that referenced this issue Sep 21, 2024
@cushon
Update protobuf version
c6bf212 
#4584

PiperOrigin-RevId: 677290089
@copybara-service copybara-service bot mentioned this issue Sep 21, 2024
Closed
copybara-service bot pushed a commit that referenced this issue Sep 23, 2024
@cushon
Update protobuf version
544547c 
#4584

PiperOrigin-RevId: 677290089
copybara-service bot pushed a commit that referenced this issue Sep 23, 2024
@cushon
Update protobuf version
fb1a05b 
#4584

PiperOrigin-RevId: 677823370
@cushon
Copy link
Collaborator

cushon commented Oct 1, 2024

Fixed in https://github.com/google/error-prone/releases/tag/v2.33.0

@cushon cushon closed this as completed Oct 1, 2024
lepistone added a commit to lepistone/error-prone that referenced this issue Oct 23, 2024
@lepistone
Avoid breaking protobuf release for now
eb290f6 
Protobuf-java was upgraded to 4.28.2 to address google#4584.

The vulnerability
[CVE-2024-7254](GHSA-735f-pc8j-v9w8) is
fixed in protobuf-java 3.25.5, as initially suggested in google#4584.

Protobuf-java saw major breaking changes in 4.26, partially mitigated in
the 27 series. Because it takes time to adopt to these breaking changes,
it is better I think to only address the vulnerability and not jump into
the breaking releases yet.

Specifically, the problem is that now everyone that uses error-prone is
forced to jump to the breaking Protobuf releases today.

This includes all users of the chain of Google BOMs (libraries-bom,
first-party-dependencies, google-cloud-bom and
gapic-generator-java-bom). Those still reference 3.25.5 [1].

This PR fixes the issue. I think error-prone should then be released and
included in gapic-generator-java-pom-parent.

Thank you!

[1] https://github.com/googleapis/sdk-platform-java/blob/main/gapic-generator-java-pom-parent/pom.xml#L34
@lepistone lepistone mentioned this issue Oct 23, 2024
Closed
@cushon
Copy link
Collaborator

cushon commented Oct 25, 2024

I have also provided a 2.35.1 release that uses protobuf 3.25.5, for anyone who needs a fix for CVE-2024-7254 but can't update to protobuf 4.x.

Future releases of Error Prone will switch back to protobuf 4.x.

https://github.com/google/error-prone/releases/tag/v2.35.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gregallen @cushon @caesaryuan