Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 2.2.0 brings in dependencies with CVE #767

Closed
sbyrnes-weblogix opened this issue Oct 30, 2018 · 1 comment · Fixed by #768
Closed

Version 2.2.0 brings in dependencies with CVE #767

sbyrnes-weblogix opened this issue Oct 30, 2018 · 1 comment · Fixed by #768
Assignees
@littleaj
Milestone
2.2.1

Comments

@sbyrnes-weblogix
Copy link

sbyrnes-weblogix commented Oct 30, 2018
edited
Loading

Expected behavior

Dependencies that have been shared and included should not have security issues.
This seems to be fixed in version v1.16.1 (https://github.com/grpc/grpc-java/releases) of grpc-java.
v1.16.0 brought in "Updated to Netty 4.1.30 and Netty tcnative 2.0.17" and broke ABI and is fixed in version 1.16.1

Actual behavior

grpc-netty-shaded-1.14.0.jar/META-INF/maven/io.netty/netty-tcnative-boringssl-static/pom.xml (io.netty:netty-tcnative-boringssl-static:2.0.12.Final, cpe:/a:netty_project:netty:2.0.12) : CVE-2015-2156, CVE-2014-3488
https://nvd.nist.gov/vuln/detail/CVE-2015-2156

To Reproduce

Maven build scanning dependencies through build using "dependency-check-maven:3.3.1:check (owasp-enforce)" with a CVE level of less than 4

System information

Please provide the following information:

  • SDK Version: 2.2.0 (did not exist in 2.1.2)
  • OS type and version: Java (1.8) on Linux (ubuntu 16.04)
  • Application Server type and version (if applicable): Java Application at compile time
  • Using spring-boot? No, Maven and Dropwizard
  • Additional relevant libraries (with version, if applicable):

Logs

Not relevant as this is at compile time

Screenshots

Not relevant as this is at compile time
@littleaj littleaj self-assigned this Oct 30, 2018
@littleaj littleaj added this to the 2.2.1 milestone Oct 30, 2018
@littleaj
Copy link
Contributor

littleaj commented Nov 7, 2018

Thank you for bringing this to our attention. We are upgrading grpc in the next release.

@littleaj littleaj mentioned this issue Nov 7, 2018
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Jul 20, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@littleaj littleaj

Labels
None yet
Projects
None yet
Milestone
2.2.1
Development

Successfully merging a pull request may close this issue.

upgrade grpc components microsoft/ApplicationInsights-Java
2 participants
@littleaj @sbyrnes-weblogix