Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address Vulnerabilities in graphql-java, commons_net, antler #5386

Closed
AgelM opened this issue Apr 25, 2023 · 8 comments
Closed

Address Vulnerabilities in graphql-java, commons_net, antler #5386

AgelM opened this issue Apr 25, 2023 · 8 comments
Assignees
@macfarla
Labels
dependencies snack Small coding task TeamGroot GH issues worked on by Groot Team TeamRevenant GH issues worked on by Revenant Team

Comments

@AgelM
Copy link

AgelM commented Apr 25, 2023
edited

Description

As a Besu user, I want currently critical and high vulnerabilities reported in Besu addressed so that any solution based on Besu can maintain minimum security baselines.

Package Vulnerability Severity Current Version Fixed Version
graphql-java CVE-2023-28867 High 19.2 ~> 19.4
commons_net - Medium 3.8.0 ~> 3.9.0
antlr - Medium 4.10.1 ~> 4.11.0

Acceptance Criteria

  • All the three Vulnerabilities above are applied required fixes

Steps to Reproduce (Bug)

  1. Vulnerability Scanning against common vulnerability DBs

Logs (if a bug)

Please post relevant logs from Besu (and the consensus client, if running proof of stake) from before and after the issue.

Versions (Add all that apply)

  • Software version: 23.1.3
@non-fungible-nelson non-fungible-nelson added TeamGroot GH issues worked on by Groot Team TeamRevenant GH issues worked on by Revenant Team TeamChupa GH issues worked on by Chupacabara Team snack Small coding task labels May 8, 2023
@macfarla macfarla self-assigned this May 9, 2023
@macfarla
Copy link
Contributor

macfarla commented May 9, 2023

graphql-java is already up to date

@macfarla
Copy link
Contributor

macfarla commented May 9, 2023

antlr is easy to fix

@macfarla
Copy link
Contributor

macfarla commented May 9, 2023

commons-net comes via tuweni

@macfarla
Copy link
Contributor

macfarla commented May 9, 2023

tuweni has commons-net 3.9.0 apache/incubator-tuweni@2ffe26a

@macfarla macfarla mentioned this issue May 9, 2023
Merged
@macfarla
Copy link
Contributor

macfarla commented May 9, 2023

we need a new tuweni release - tuweni already has updated antlr and commons-net apache/incubator-tuweni#479 but we need a release. Besu antlr needs to match tuweni antlr otherwise we get this error https://app.circleci.com/pipelines/github/hyperledger/besu/22098/workflows/15854be4-0d37-479d-be11-a012699efbeb/jobs/136772/tests

@macfarla
Copy link
Contributor

macfarla commented May 9, 2023

we can override the commons-net version per #5444 but not antlr

@macfarla macfarla removed the good first issue Good for newcomers label May 17, 2023
@pinges pinges closed this as completed Jun 12, 2023
@macfarla macfarla reopened this Jun 22, 2023
@macfarla
Copy link
Contributor

Reopening since we rolled back the tuweni update. Blocked now on getting a new tuweni version

@non-fungible-nelson non-fungible-nelson removed the TeamChupa GH issues worked on by Chupacabara Team label Jun 27, 2023
@macfarla
Copy link
Contributor

should be fixed by #5684

@jframe jframe mentioned this issue Sep 11, 2023
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@macfarla macfarla

Labels
dependencies snack Small coding task TeamGroot GH issues worked on by Groot Team TeamRevenant GH issues worked on by Revenant Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@macfarla @pinges @AgelM @non-fungible-nelson