-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependencies to address CVE-2024-7254 #240
Update dependencies to address CVE-2024-7254 #240
Conversation
This vulnerability affects the Java bindings. Go and Node bindings are also updated; as are the tooling versions used to build the bindings. Note that the Node bindings are now built targeting Node 18, since this is the oldest currently supported LTS release. Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
bd94f9b
to
a68a6ff
Compare
@denyeart I think we should consider a v0.3.x release to include this dependency update and vulnerability fix. |
@bestbeforetoday I attempted a v0.3.4 release. |
@denyeart I have been hitting the same in Maven publishing steps with the Hyperledger organization signing credentials after they were updated. Reported here. I fixed this in other repositories by adding my own GPG signing key and password as repository level secrets, overriding the Hyperledger organization secrets. I don't see the same error with the fabric-chaincode-java publishing, which is still using the Hyperledger organization signing credentials. This build does the publishing using Gradle rather than Maven. So we have a couple of cases of publishing using Maven failing using the Hyperledger organization credentials, and one case of it succeeding when the publishing is done with Gradle. But the Maven publishing works with non-Hyperledger (ed25519) signing key and passphrase. |
If somebody can update the build secrets with credentials that the Maven GPG plugin is happy with, you should be able to just re-run the failed publishing build step to recover. |
@bestbeforetoday Ry re-ran the java publish job and it appears successful. I then released v0.2.2 which was successful. However, maven still hasn't been updated with the new releases, any ideas? |
@denyeart Ry refreshed the Hyperledger signing key and password so the Java signing with Maven is working again. I see both the packages on Maven Central fine: https://central.sonatype.com/artifact/org.hyperledger.fabric/fabric-protos/versions |
@bestbeforetoday Ok good. It looks like the mvnrepository site that I referenced is just a shadow and may not be up to date. |
This vulnerability affects the Java bindings. Go and Node bindings are also updated; as are the tooling versions used to build the bindings.
Note that the Node bindings are now built targeting Node 18, since this is the oldest currently supported LTS release.