Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): mitigate CVE-2024-21505 #3292

Merged
merged 1 commit into from
Jun 6, 2024
Merged

fix(security): mitigate CVE-2024-21505 #3292

merged 1 commit into from
Jun 6, 2024

Conversation

petermetz
Copy link
Contributor

The changes made to this commit were performed by running yarn up -R web3-utils
in the root directory of the project which upgraded all the transitive web3-utils
dependency versions. Finally the root package.json's web3-utils declaration had
to be manually bumped as well.

Tags

The security advisory:
https://github.com/hyperledger/cacti/security/dependabot/987

Related pull request that was an attempt by the robots to fix the issue (without success)
#3264

Signed-off-by: Peter Somogyvari [email protected]

Pull Request Requirements

  • Rebased onto upstream/main branch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.
  • Have git sign off at the end of commit message to avoid being marked red. You can add -s flag when using git commit command. You may refer to this link for more information.
  • Follow the Commit Linting specification. You may refer to this link for more information.

Character Limit

  • Pull Request Title and Commit Subject must not exceed 72 characters (including spaces and special characters).
  • Commit Message per line must not exceed 80 characters (including spaces and special characters).

A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.

@petermetz petermetz enabled auto-merge (rebase) June 1, 2024 17:16
jagpreetsinghsasan
jagpreetsinghsasan approved these changes Jun 4, 2024
View reviewed changes
Copy link
Contributor

@jagpreetsinghsasan jagpreetsinghsasan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@petermetz
fix(security): mitigate CVE-2024-21505
73242f7 
The changes made to this commit were performed by running `yarn up -R web3-utils`
in the root directory of the project which upgraded all the transitive web3-utils
dependency versions. Finally the root package.json's web3-utils declaration had
to be manually bumped as well.

Tags
- Runtime dependency
- Patch available
Weaknesses
- WeaknessCWE-1321
CVE ID
- CVE-2024-21505
GHSA ID
- GHSA-2g4c-8fpm-c46v

The security advisory:
https://github.com/hyperledger/cacti/security/dependabot/987

Related pull request that was an attempt by the robots to fix the issue (without success)
hyperledger-cacti#3264

Signed-off-by: Peter Somogyvari <[email protected]>
@petermetz petermetz force-pushed the fix-security-cve-2024-21505 branch from a76b0e0 to 73242f7 Compare June 6, 2024 16:29
@petermetz petermetz merged commit f48994f into hyperledger-cacti:main Jun 6, 2024
145 of 150 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@outSH outSH outSH approved these changes

@jagpreetsinghsasan jagpreetsinghsasan jagpreetsinghsasan approved these changes

@takeutak takeutak Awaiting requested review from takeutak takeutak is a code owner

@izuru0 izuru0 Awaiting requested review from izuru0 izuru0 is a code owner

@VRamakrishna VRamakrishna Awaiting requested review from VRamakrishna VRamakrishna is a code owner

@sandeepnRES sandeepnRES Awaiting requested review from sandeepnRES sandeepnRES is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@petermetz @outSH @jagpreetsinghsasan