From feb30adb3da7410f6c849ba501c31f9d661ac04d Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 30 Sep 2024 14:52:22 +1000 Subject: [PATCH] Update protobuf and google secrets manager versions --- CHANGELOG.md | 3 +++ build.gradle | 2 +- gradle/versions.gradle | 4 +++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bce549d01..89126cbaf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ - Java 21 for build and runtime. [#995](https://github.com/Consensys/web3signer/pull/995) - Electra fork support. [#1020](https://github.com/Consensys/web3signer/pull/1020) +### Bugs fixed +- Override protobuf-java to 3.25.5 which is a transitive dependency from google-cloud-secretmanager. It fixes CVE-2024-7254. + --- ## 24.6.0 diff --git a/build.gradle b/build.gradle index 103a725a4..9c21a60b5 100644 --- a/build.gradle +++ b/build.gradle @@ -29,7 +29,7 @@ buildscript { } plugins { - id 'org.owasp.dependencycheck' version "10.0.3" + id 'org.owasp.dependencycheck' version "10.0.4" id 'java-test-fixtures' id 'com.diffplug.spotless' version '7.0.0.BETA1' id 'com.github.ben-manes.versions' version '0.51.0' //`./gradlew dependencyUpdates` to report outdated dependencies diff --git a/gradle/versions.gradle b/gradle/versions.gradle index e8ddd510e..793b99cab 100644 --- a/gradle/versions.gradle +++ b/gradle/versions.gradle @@ -144,7 +144,9 @@ dependencyManagement { dependency 'org.flywaydb:flyway-core:10.16.0' dependency 'org.flywaydb:flyway-database-postgresql:10.16.0' - dependency 'com.google.cloud:google-cloud-secretmanager:2.48.0' + dependency 'com.google.cloud:google-cloud-secretmanager:2.51.0' + dependency 'com.google.protobuf:protobuf-java:3.25.5' // fixes CVE-2024-7254 - transitive from google-cloud-secretmanager + dependency 'io.zonky.test.postgres:embedded-postgres-binaries-bom:11.22.1' dependency 'io.zonky.test:embedded-postgres:2.0.7'