fix(plugin-ledger-connector-fabric-socketio): upgrade Fabric due to jsrsasign #1799

petermetz · 2022-01-19T19:30:47Z

Describe the bug

We have a critical severity vulnerability put back in the code by a recent PR: #1754

packages/cactus-plugin-ledger-connector-fabric-socketio/package.json

    "fabric-ca-client": "~1.4.0",
    "fabric-client": "~1.4.0",
    "fabric-network": "~1.4.0",

To Reproduce

npm ls jsrsasign

$ npm ls jsrsasign
@hyperledger/cactus@ /home/peter/a/blockchain/cactus
├─┬ @hyperledger/cactus-cmd-socket-server@1.0.0-rc.3 -> ./packages/cactus-cmd-socketio-server
│ ├─┬ fabric-ca-client@2.2.10
│ │ ├─┬ fabric-common@2.2.10
│ │ │ └── jsrsasign@10.5.0 deduped
│ │ └── jsrsasign@10.5.0
│ └─┬ fabric-network@2.2.10
│   └─┬ fabric-common@2.2.10
│     └── jsrsasign@10.5.0 deduped
├─┬ @hyperledger/cactus-plugin-ledger-connector-fabric-socketio@1.0.0-rc.3 -> ./packages/cactus-plugin-ledger-connector-fabric-socketio
│ ├─┬ fabric-ca-client@1.4.18
│ │ └── jsrsasign@8.0.24
│ └─┬ fabric-client@1.4.18
│   └── jsrsasign@8.0.24
├─┬ @hyperledger/cactus-plugin-ledger-connector-fabric@1.0.0-rc.3 -> ./packages/cactus-plugin-ledger-connector-fabric
│ ├─┬ fabric-ca-client@2.3.0-snapshot.62
│ │ └── jsrsasign@10.5.0
│ ├─┬ fabric-common@2.3.0-snapshot.63
│ │ └── jsrsasign@10.5.0 deduped
│ ├── jsrsasign@10.4.0
│ └─┬ ws-wallet@1.1.5
│   └── jsrsasign@10.4.1
└─┬ @hyperledger/cactus-test-tooling@1.0.0-rc.3 -> ./packages/cactus-test-tooling
  └─┬ fabric-ca-client@2.2.10
    ├─┬ fabric-common@2.2.10
    │ └── jsrsasign@10.5.0 deduped
    └── jsrsasign@10.5.0 deduped

Expected behavior

Vulnerable versions of dependencies have to be upgraded.

@outSH

The text was updated successfully, but these errors were encountered:

…srsasign Revert fabric sdk package change from PR hyperledger-cacti#1754 Closes: hyperledger-cacti#1799 Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>

…srsasign Revert fabric sdk package change from PR #1754 Closes: #1799 Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>

petermetz added bug Something isn't working Security Related to existing or potential security vulnerabilities P1 Priority 1: Highest labels Jan 19, 2022

outSH mentioned this issue Jan 20, 2022

fix(plugin-ledger-connector-fabric-socketio): upgrade Fabric due to jsrsasign #1800

Merged

petermetz closed this as completed in #1800 Feb 4, 2022

petermetz pushed a commit that referenced this issue Feb 4, 2022

fix(plugin-ledger-connector-fabric-socketio): upgrade Fabric due to j…

a9ecb19

…srsasign Revert fabric sdk package change from PR #1754 Closes: #1799 Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(plugin-ledger-connector-fabric-socketio): upgrade Fabric due to jsrsasign #1799

fix(plugin-ledger-connector-fabric-socketio): upgrade Fabric due to jsrsasign #1799

petermetz commented Jan 19, 2022

fix(plugin-ledger-connector-fabric-socketio): upgrade Fabric due to jsrsasign #1799

fix(plugin-ledger-connector-fabric-socketio): upgrade Fabric due to jsrsasign #1799

Comments

petermetz commented Jan 19, 2022