Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies to address CVE-2024-7254 #240

Merged
merged 1 commit into from
Sep 23, 2024
Merged

Update dependencies to address CVE-2024-7254 #240

merged 1 commit into from
Sep 23, 2024

Conversation

bestbeforetoday
Copy link
Member

This vulnerability affects the Java bindings. Go and Node bindings are also updated; as are the tooling versions used to build the bindings.

Note that the Node bindings are now built targeting Node 18, since this is the oldest currently supported LTS release.

@bestbeforetoday
Update dependencies to address CVE-2024-7254
a68a6ff 
This vulnerability affects the Java bindings. Go and Node bindings are
also updated; as are the tooling versions used to build the bindings.

Note that the Node bindings are now built targeting Node 18, since this
is the oldest currently supported LTS release.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday bestbeforetoday marked this pull request as ready for review September 23, 2024 10:52
@bestbeforetoday bestbeforetoday requested a review from a team as a code owner September 23, 2024 10:52
@andrew-coleman andrew-coleman merged commit 8e482ea into hyperledger:main Sep 23, 2024
20 checks passed
@bestbeforetoday bestbeforetoday deleted the CVE-2024-7254 branch September 23, 2024 12:55
@bestbeforetoday
Copy link
Member Author

@denyeart I think we should consider a v0.3.x release to include this dependency update and vulnerability fix.

@denyeart
Copy link
Contributor

@bestbeforetoday I attempted a v0.3.4 release.
The Go and Node bindings published.
The Java publish action hit an error. Any ideas?

@bestbeforetoday
Copy link
Member Author

@denyeart I have been hitting the same in Maven publishing steps with the Hyperledger organization signing credentials after they were updated. Reported here. I fixed this in other repositories by adding my own GPG signing key and password as repository level secrets, overriding the Hyperledger organization secrets.

I don't see the same error with the fabric-chaincode-java publishing, which is still using the Hyperledger organization signing credentials. This build does the publishing using Gradle rather than Maven.

So we have a couple of cases of publishing using Maven failing using the Hyperledger organization credentials, and one case of it succeeding when the publishing is done with Gradle. But the Maven publishing works with non-Hyperledger (ed25519) signing key and passphrase.

@bestbeforetoday
Copy link
Member Author

If somebody can update the build secrets with credentials that the Maven GPG plugin is happy with, you should be able to just re-run the failed publishing build step to recover.

@denyeart
Copy link
Contributor

@bestbeforetoday Ry re-ran the java publish job and it appears successful. I then released v0.2.2 which was successful. However, maven still hasn't been updated with the new releases, any ideas?
https://mvnrepository.com/artifact/org.hyperledger.fabric/fabric-protos

@bestbeforetoday
Copy link
Member Author

bestbeforetoday commented Sep 25, 2024
edited
Loading

@denyeart Ry refreshed the Hyperledger signing key and password so the Java signing with Maven is working again. I see both the packages on Maven Central fine:

https://central.sonatype.com/artifact/org.hyperledger.fabric/fabric-protos/versions

@denyeart
Copy link
Contributor

@bestbeforetoday Ok good. It looks like the mvnrepository site that I referenced is just a shadow and may not be up to date.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew-coleman andrew-coleman andrew-coleman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bestbeforetoday @denyeart @andrew-coleman