Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-7254 on org.scala-sbt:zinc-persist-core-assembly:1.10.2 #1442

Closed
gabrieljones opened this issue Oct 8, 2024 · 2 comments · Fixed by #1443
Closed

CVE-2024-7254 on org.scala-sbt:zinc-persist-core-assembly:1.10.2 #1442

gabrieljones opened this issue Oct 8, 2024 · 2 comments · Fixed by #1443

Comments

@gabrieljones
Copy link

gabrieljones commented Oct 8, 2024
edited
Loading

Sonatype just flagged org.scala-sbt:zinc-persist-core-assembly:1.10.2 with

https://nvd.nist.gov/vuln/detail/CVE-2024-7254
https://www.cve.org/CVERecord?id=CVE-2024-7254

Looks like the protobuf lib is shaded into this artifact.
@eed3si9n
Copy link
Member

eed3si9n commented Oct 8, 2024

@gabrieljones Thanks for letting us know!

@Friendseeker Friendseeker mentioned this issue Oct 8, 2024
Merged
@Friendseeker
Copy link
Member

Friendseeker commented Oct 8, 2024
edited
Loading

Thanks for letting us know. Just made a PR to bump protobuf version.

Btw which website did you use to see the sonatype flags? I went on https://ossindex.sonatype.org/component/pkg:maven/org.scala-sbt/[email protected] and saw no flags.

I am thinking if there's some bots we can setup to auto post an issue when some zinc artifact is flagged.

@adpi2 adpi2 mentioned this issue Oct 9, 2024
Merged
@Friendseeker Friendseeker mentioned this issue Nov 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[1.x] Bump Protobuf to 3.25.5 Friendseeker/zinc
3 participants
@eed3si9n @gabrieljones @Friendseeker