Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating Dependencies #2760

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Updating Dependencies #2760

wants to merge 1 commit into from

Conversation

Lewox
Copy link
Contributor

@Lewox Lewox commented Oct 27, 2024

Description

Updated tink from 1.14.1 to 1.15.0
Updated protobuf-java from 3.25.3 to 3.25.5 (transitive dependency from tink, vulnerable in the current version of tink)

Addressed CVE:
CVE-2024-7254

Pull Request Etiquette

  • I have checked the PRs for upcoming features/bug fixes.
  • I have read the [contributing guidelines][contributing].

Changes

  • Internal code
  • Library interface (affecting end-user code)
  • Documentation
  • Other: Dependency Update (Vulnerability)

Closes Issue: NaN

@Lewox
Updating Dependencies
6772b51 
Updated tink from 1.14.1 to 1.15.0
Updated protobuf-java from 3.25.3 to 3.25.5 (transitive dependency from
tink, vulnerable in current version of tink)

Addressed CVE:
CVE-2024-7254
@MinnDevelopment
Copy link
Member

We don't use protobuf, so we can just wait for the transitive dependency to be updated instead.

@Lewox
Copy link
Contributor Author

Lewox commented Oct 28, 2024

Hi, thanks for checking, would you be open to upgrading tink if they update the transitive dependency?

@Lewox
Copy link
Contributor Author

Lewox commented Oct 28, 2024

Someone already beat me to update the dependency at tink tink-crypto/tink-java#46 but looking at the Bazel files, it should be using 4.28.0, which is still vulnerable.

@freya022
Copy link
Contributor

As Minn mentioned, JDA does not use protobuf at all, so the version of either tink, or protobuf, does not matter in the slightest.

You can verify this by running a bot with the dependency excluded, I have tried it on my own bot and audio receive works.
By looking at their documentation, I would assume that it is likely used only for sending over the wire.

In addition:

  • JDA does not deserialize untrusted data, as all data comes from Discord
  • JDA does not expose Tink or any of its transitive dependencies, as it is declared as a runtime dependency, which makes it inaccessible for JDA users. Thus, the user using Tink or Protobuf would be made aware of these issues by themselves
  • The Tink PR did fix the issue, the commit history shows them going from 3.25.3 (current release) -> 4.28.0 -> 4.28.2

And to answer your earlier question, yes, I believe Minn said that we can wait for Tink's version of protobuf to get upgraded

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Lewox @MinnDevelopment @freya022