Skip to content

Update dependencies to mitigate CVE-2023-44487#661

Merged
bestbeforetoday merged 5 commits intohyperledger:mainfrom
bestbeforetoday:CVE-2023-44487
Dec 7, 2023
Merged

Update dependencies to mitigate CVE-2023-44487#661
bestbeforetoday merged 5 commits intohyperledger:mainfrom
bestbeforetoday:CVE-2023-44487

Conversation

@bestbeforetoday
Copy link
Member

@bestbeforetoday bestbeforetoday commented Dec 2, 2023
edited
Loading

This vulnerability can be exploited in gRPC servers (not clients) so should not directly impact the Fabric Gateway client API. However, updates to gRPC Java dependencies enables compatibility with Netty version 4.1.101.Final, which contains mitigations to this vulnerability and supports client applications that also expose gRPC services.

See:

Also:

  • Update dependency-check-maven to avoid use of sunset NVD data-feed.
  • Update Go dependencies.
  • Update Node dev-dependencies.
  • Use GitHub actions/setup-java@v4.
  • Fix deadlock in Java 8 / 11 eventing tests.

Closes #659
Closes #660

@bestbeforetoday
Update dependencies to mitigate CVE-2023-44487
3fdbf97 
This vulnerability can be exploited in gRPC servers (not clients) so should not directly impact the Fabric Gateway client API. However, updates to gRPC Java dependencies enables compatibility with Netty version 4.1.101.Final, which contains mitigations to this vulnerability and supports client applications that also expose gRPC services.

See:

- https://github.com/grpc/grpc-java/releases/tag/v1.59.1
- grpc/grpc-java#10617

Also update dependency-check-maven to avoid use of sunset NVD data-feed.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday
Update Go dependencies
2249abb 
Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday
Update Node dependencies
3d5770e 
Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday
Use GitHub actions/setup-java@v4
633e073 
Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday bestbeforetoday force-pushed the CVE-2023-44487 branch 5 times, most recently from a98927b to 41aa93a Compare December 2, 2023 16:38
@bestbeforetoday bestbeforetoday marked this pull request as ready for review December 2, 2023 16:57
@bestbeforetoday bestbeforetoday requested a review from a team as a code owner December 2, 2023 16:57
@bestbeforetoday bestbeforetoday enabled auto-merge (rebase) December 2, 2023 16:57
@bestbeforetoday bestbeforetoday force-pushed the CVE-2023-44487 branch 5 times, most recently from 8c1136f to 4fd6604 Compare December 3, 2023 00:10
@bestbeforetoday
Use explicit ExecutorService for Java event listening tests
0976419 
Avoid exhausting the ForkJoin.commonPool() in constrained environments, which can cause deadlocks.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday bestbeforetoday merged commit 6adf0de into hyperledger:main Dec 7, 2023
@bestbeforetoday bestbeforetoday deleted the CVE-2023-44487 branch December 7, 2023 08:41
@bhaskar-allam bhaskar-allam mentioned this pull request Oct 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrew-coleman andrew-coleman andrew-coleman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Scenario test failures with Java 8 and 11 Update (or remove) dependency-check-maven

2 participants

@bestbeforetoday @andrew-coleman