Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cactus-core-api): address CVE-2021-38192 - GHSA-x4qm-mcjq-v2gf #2612

Closed
petermetz opened this issue Aug 13, 2023 · 1 comment · Fixed by #2613
Closed

fix(cactus-core-api): address CVE-2021-38192 - GHSA-x4qm-mcjq-v2gf #2612

petermetz opened this issue Aug 13, 2023 · 1 comment · Fixed by #2613
Assignees
@petermetz
Labels
bug Something isn't working Core_API Changes related to the Core API Package dependencies Pull requests that update a dependency file P1 Priority 1: Highest rust Pull requests that update Rust code Security Related to existing or potential security vulnerabilities Weaver Tasks related to the future of Cactus & Weaver together.
Milestone
v2.0.0-alpha.2

Comments

@petermetz
Copy link
Contributor

Address & fix this: https://github.com/hyperledger/cacti/security/dependabot/137

CVE ID: CVE-2021-38192
GHSA ID: GHSA-x4qm-mcjq-v2gf
@petermetz petermetz added bug Something isn't working Core_API Changes related to the Core API Package dependencies Pull requests that update a dependency file P1 Priority 1: Highest rust Pull requests that update Rust code Security Related to existing or potential security vulnerabilities Weaver Tasks related to the future of Cactus & Weaver together. labels Aug 13, 2023
@petermetz petermetz self-assigned this Aug 13, 2023
@petermetz petermetz added this to the v2.0.0-alpha.2 milestone Aug 13, 2023
petermetz added a commit to petermetz/cacti that referenced this issue Aug 13, 2023
@petermetz
fix(cactus-core-api): address CVE-2021-38192 - GHSA-x4qm-mcjq-v2gf
e247aeb 
Performs a minor semver upgrades to tonic, tonic-build and prost so
that the vulnerable version of prost-types is no longer in the
dependency tree.

Fixes hyperledger-cacti#2612

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Aug 13, 2023
Merged
@petermetz
Copy link
Contributor Author

This will also fix https://github.com/hyperledger/cacti/security/dependabot/192

petermetz added a commit to petermetz/cacti that referenced this issue Aug 17, 2023
@petermetz
fix(cactus-core-api): address CVE-2021-38192 - GHSA-x4qm-mcjq-v2gf
bd2ba2a 
Performs a minor semver upgrades to tonic, tonic-build and prost so
that the vulnerable version of prost-types is no longer in the
dependency tree.

Fixes hyperledger-cacti#2612

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Aug 17, 2023
@petermetz
fix(cactus-core-api): address CVE-2021-38192 - GHSA-x4qm-mcjq-v2gf
ff1afa5 
Performs a minor semver upgrades to tonic, tonic-build and prost so
that the vulnerable version of prost-types is no longer in the
dependency tree.

Fixes #2612

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
sandeepnRES pushed a commit to sandeepnRES/cacti that referenced this issue Dec 21, 2023
@petermetz @sandeepnRES
fix(cactus-core-api): address CVE-2021-38192 - GHSA-x4qm-mcjq-v2gf
7fea1f6 
Performs a minor semver upgrades to tonic, tonic-build and prost so
that the vulnerable version of prost-types is no longer in the
dependency tree.

Fixes hyperledger-cacti#2612

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petermetz petermetz

Labels
bug Something isn't working Core_API Changes related to the Core API Package dependencies Pull requests that update a dependency file P1 Priority 1: Highest rust Pull requests that update Rust code Security Related to existing or potential security vulnerabilities Weaver Tasks related to the future of Cactus & Weaver together.
Projects
None yet
Milestone
v2.0.0-alpha.2
Development

Successfully merging a pull request may close this issue.

fix(cactus-core-api): address CVE-2021-38192 - GHSA-x4qm-mcjq-v2gf petermetz/cacti
1 participant
@petermetz