Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update protobuf-java to address CVE-2024-7254 #11543

Merged
merged 1 commit into from
Sep 24, 2024

Conversation

bestbeforetoday
Copy link
Contributor

Resolves #11542

@bestbeforetoday
Copy link
Contributor Author

I don't know how anything I have changed would have caused a failure for Java 11 and not for Java 8 or Java 17. I suspect this is a test flake. Any guidance is appreciated.

@bestbeforetoday bestbeforetoday marked this pull request as ready for review September 20, 2024 15:53
@ejona86 ejona86 added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Sep 20, 2024
@grpc-kokoro grpc-kokoro removed the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Sep 20, 2024
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll note this doesn't upgrade Bazel. That must be acceptable for bzlmod as BCR doesn't have a 25.x version. We could update non-bzlmod by updating repositories.bzl, but external contributors generally don't have Bazel.

@ejona86
Copy link
Member

ejona86 commented Sep 20, 2024

The Java 11 error was for grpc-servlet, and yes, unfortunately that is flaky. Seems Macos failed due to a download failure. I've restarted both of them.

@ejona86 ejona86 merged commit 2ff837a into grpc:master Sep 24, 2024
15 checks passed
@ejona86 ejona86 added the TODO:backport PR needs to be backported. Removed after backport complete label Sep 24, 2024
@bestbeforetoday bestbeforetoday deleted the CVE-2024-7254 branch September 24, 2024 16:37
@ejona86 ejona86 removed the TODO:backport PR needs to be backported. Removed after backport complete label Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE-2024-7254 reported in protobuf-java dependency
4 participants