Skip to content

Update protobuf-java to address CVE-2024-7254 #11543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ejona86 merged 1 commit into from
Sep 24, 2024
Merged

Update protobuf-java to address CVE-2024-7254 #11543

ejona86 merged 1 commit into from
Sep 24, 2024

Conversation

@bestbeforetoday
Copy link
Contributor

@bestbeforetoday bestbeforetoday commented Sep 20, 2024

Resolves #11542

@bestbeforetoday
Update protobuf-java to address CVE-2024-7254
351967d 
Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@bestbeforetoday
Copy link
Contributor Author

bestbeforetoday commented Sep 20, 2024

I don't know how anything I have changed would have caused a failure for Java 11 and not for Java 8 or Java 17. I suspect this is a test flake. Any guidance is appreciated.

@bestbeforetoday bestbeforetoday marked this pull request as ready for review September 20, 2024 15:53
@ejona86 ejona86 added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Sep 20, 2024
@grpc-kokoro grpc-kokoro removed the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Sep 20, 2024
ejona86
ejona86 approved these changes Sep 20, 2024
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll note this doesn't upgrade Bazel. That must be acceptable for bzlmod as BCR doesn't have a 25.x version. We could update non-bzlmod by updating repositories.bzl, but external contributors generally don't have Bazel.

@ejona86
Copy link
Member

ejona86 commented Sep 20, 2024

The Java 11 error was for grpc-servlet, and yes, unfortunately that is flaky. Seems Macos failed due to a download failure. I've restarted both of them.

@ejona86 ejona86 merged commit 2ff837a into grpc:master Sep 24, 2024
@ejona86 ejona86 added the TODO:backport PR needs to be backported. Removed after backport complete label Sep 24, 2024
@ejona86 ejona86 mentioned this pull request Sep 24, 2024
Closed
@bestbeforetoday bestbeforetoday deleted the CVE-2024-7254 branch September 24, 2024 16:37
@lujiajing1126 lujiajing1126 mentioned this pull request Oct 11, 2024
Closed
2 tasks
@ejona86 ejona86 removed the TODO:backport PR needs to be backported. Removed after backport complete label Oct 28, 2024
@ejona86 ejona86 mentioned this pull request Nov 12, 2024
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 27, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ejona86 ejona86 ejona86 approved these changes

@kannanjgithub kannanjgithub kannanjgithub approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2024-7254 reported in protobuf-java dependency

4 participants

@bestbeforetoday @ejona86 @kannanjgithub @grpc-kokoro