Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pulling latest upstream changes (vuln fixes) #2

Merged
merged 57 commits into from
Apr 12, 2024
Merged

Pulling latest upstream changes (vuln fixes) #2

merged 57 commits into from
Apr 12, 2024

Conversation

ssmirr
Copy link

@ssmirr ssmirr commented Apr 1, 2024

Pulling latest changes from upstream for the fixed vulnerabilities (both in code dependencies and docker images).

Current Kaleido fork:

604386504253.dkr.ecr.us-east-2.amazonaws.com/firefly-tokens-erc20-erc721:v1.2.6-20231013-5 (alpine 3.15.6)

Total: 8 (UNKNOWN: 0, HIGH: 8, CRITICAL: 0)

┌──────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├──────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-4450 │ HIGH     │ fixed  │ 1.1.1q-r0         │ 1.1.1t-r0     │ openssl: double free after calling PEM_read_bio_ex         │
│              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                  │
│              ├───────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215 │          │        │                   │               │ openssl: use-after-free following BIO_new_NDEF             │
│              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                  │
│              ├───────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286 │          │        │                   │               │ openssl: X.400 address type confusion in X.509 GeneralName │
│              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                  │
│              ├───────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464 │          │        │                   │ 1.1.1t-r2     │ openssl: Denial of service by excessive resource usage in  │
│              │               │          │        │                   │               │ verifying X509 policy...                                   │
│              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                  │
├──────────────┼───────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│ libssl1.1    │ CVE-2022-4450 │          │        │                   │ 1.1.1t-r0     │ openssl: double free after calling PEM_read_bio_ex         │
│              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                  │
│              ├───────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215 │          │        │                   │               │ openssl: use-after-free following BIO_new_NDEF             │
│              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                  │
│              ├───────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286 │          │        │                   │               │ openssl: X.400 address type confusion in X.509 GeneralName │
│              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                  │
│              ├───────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464 │          │        │                   │ 1.1.1t-r2     │ openssl: Denial of service by excessive resource usage in  │
│              │               │          │        │                   │               │ verifying X509 policy...                                   │
│              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                  │
└──────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
2024-04-01T16:38:18.015-0400    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)

Total: 3 (UNKNOWN: 0, HIGH: 2, CRITICAL: 1)

┌────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│                Library                 │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ @openzeppelin/contracts (package.json) │ CVE-2023-30542 │ HIGH     │ fixed  │ 4.7.3             │ 4.8.3         │ GovernorCompatibilityBravo may trim proposal calldata      │
│                                        │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-30542                 │
├────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ class-validator (package.json)         │ CVE-2019-18413 │ CRITICAL │        │ 0.13.2            │ 0.14.0        │ SQL Injection and Cross-site Scripting in class-validator  │
│                                        │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-18413                 │
├────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ http-cache-semantics (package.json)    │ CVE-2022-25881 │ HIGH     │        │ 4.1.0             │ 4.1.1         │ http-cache-semantics: Regular Expression Denial of Service │
│                                        │                │          │        │                   │               │ (ReDoS) vulnerability                                      │
│                                        │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25881                 │
└────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

awrichar and others added 30 commits April 17, 2023 11:45
@awrichar
Encode the values passed in "poolData"
8447e00 
This ensures that the special character ":" (in particular) will be properly
escaped.

Signed-off-by: Andrew Richardson <[email protected]>
@awrichar
Add "poolData" to token pool creation/activation events
1ff6ab1 
Signed-off-by: Andrew Richardson <[email protected]>
@chrisbygrave
MTLS support
f36531e 
Signed-off-by: Chris Bygrave <[email protected]>
@matthew1001
Async event enrichment
e8cf9b4 
Signed-off-by: Matthew Whitehead <[email protected]>
@nguyer
Merge pull request #129 from kaleido-io/pooldata
a989283 
Encode the values passed in "poolData"
@chrisbygrave
Request client certs
471f814 
Signed-off-by: Chris Bygrave <[email protected]>
@matthew1001
Address PR comments
ac69f15 
Signed-off-by: Matthew Whitehead <[email protected]>
@matthew1001
Merge branch 'main' into async-event-enrichment
da8883b 
Signed-off-by: Matt Whitehead <[email protected]>
@matthew1001
Lint fixes
6491552 
Signed-off-by: Matthew Whitehead <[email protected]>
@matthew1001
Merge pull request #134 from kaleido-io/async-event-enrichment
5d9269a 
Async event enrichment
@chrisbygrave
Pass certs on the websocket
74b9e7b 
Signed-off-by: Chris Bygrave <[email protected]>
@shorsher
Merge pull request #135 from kaleido-io/mtls-support
54fb773 
Mtls support
@awrichar
Add /deactivatepool API for deleting listeners
674be9c 
Signed-off-by: Andrew Richardson <[email protected]>
@peterbroadhurst
Merge pull request #136 from kaleido-io/deactivate
730245e 
Add /deactivatepool API for deleting listeners
@nguyer
Pass 409 Conflict back to FireFly Core
d29852f 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Merge pull request #137 from kaleido-io/pass-conflict-status
1740a44 
Pass 409 Conflict back to FireFly Core
@nguyer
Update MAINTAINERS.md and CODEOWNERS
4b7b4b8 
Signed-off-by: Nicko Guyer <[email protected]>
@onelapahead
Nonroot User in Docker Image
e528883 
Signed-off-by: hfuss <[email protected]>
@onelapahead
fixing docker build
6cdd4e2 
Signed-off-by: hfuss <[email protected]>
@nguyer
Merge pull request #139 from kaleido-io/nonroot
a189de9 
Nonroot User in Docker Image
@nguyer
Use separate eventstream per namespace
60ebd20 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Remove unused imports
77ed3fe 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Adjust test timing
4f34681 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Update node version
d96aa08 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Allow re-activation of token pools
e58f317 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Remove unused import
fe873ea 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Remove deprecated eventstreams
f62c69d 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Updates
916d4e7 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Add WS log messages
352668e 
Signed-off-by: Nicko Guyer <[email protected]>
@ssmirr
adding high/critical severity vuln checks
037f4c8 
Signed-off-by: Samim Mirhosseini <[email protected]>
nguyer and others added 27 commits February 26, 2024 10:06
@nguyer
PR feedback
4ebae6b 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Scope acks to recipient client
4d85ab6 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Fix eventstream cache
4d59b01 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
PR feedback
d6cbee7 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Merge pull request #140 from kaleido-io/eventstrams
2915844 
Use separate eventstream per namespace
@peterbroadhurst
Merge pull request #138 from kaleido-io/maintainers
b79d1ae 
Update MAINTAINERS.md and CODEOWNERS
@nguyer
Update dependencies
311af02 
Signed-off-by: Nicko Guyer <[email protected]>
@nguyer
Merge pull request #145 from kaleido-io/dependencies-2
e06d0b2 
Update dependencies
@dependabot
Bump the npm_and_yarn group group in /samples/solidity with 1 update
a98d7f2 
Bumps the npm_and_yarn group group in /samples/solidity with 1 update: [solidity-coverage](https://github.com/sc-forks/solidity-coverage).


Updates `solidity-coverage` from 0.8.7 to 0.8.10
- [Release notes](https://github.com/sc-forks/solidity-coverage/releases)
- [Changelog](https://github.com/sc-forks/solidity-coverage/blob/master/CHANGELOG.md)
- [Commits](sc-forks/solidity-coverage@v0.8.7...v0.8.10)

---
updated-dependencies:
- dependency-name: solidity-coverage
  dependency-type: indirect
  dependency-group: npm_and_yarn-security-group
...

Signed-off-by: dependabot[bot] <[email protected]>
@nguyer
Merge pull request #146 from hyperledger/dependabot/npm_and_yarn/samp…
a428921 
…les/solidity/npm_and_yarn-security-group-990d8f8890

Bump the npm_and_yarn group group in /samples/solidity with 1 update
@awrichar
Update to latest OpenZeppelin base contracts
8f0f98f 
Signed-off-by: Andrew Richardson <[email protected]>
@alex-semenyuk
Fix broken url
5e9e941 
Signed-off-by: alexey semenyuk <[email protected]>
@awrichar
ERC721WithData should extend ERC721URIStorage
cb34958 
This makes the contracts more consistent with OpenZeppelin examples. No
signatures are changed, but there is one slight change in behavior: if
you specify a "base URI", then individual token URIs are always
understood to be a suffix for that base URI. The previous contract
would ignore the base URI when a token URI was specified.

Signed-off-by: Andrew Richardson <[email protected]>
@nguyer
Merge pull request #149 from kaleido-io/contracts
a90c44b 
Update to latest OpenZeppelin base contracts
@dependabot
Bump follow-redirects from 1.15.5 to 1.15.6 in /samples/solidity
58a5c74 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.5 to 1.15.6.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.5...v1.15.6)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump follow-redirects from 1.15.5 to 1.15.6
b3ad599 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.5 to 1.15.6.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.5...v1.15.6)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@ssmirr
Merge branch 'main' into vuln-checks
14d592e 
Signed-off-by: Samim Mirhosseini <[email protected]>
@ssmirr
python python3 3.10.13-r0 => 3.10.14-r1
04b6837 
Signed-off-by: Samim Mirhosseini <[email protected]>
@nguyer
Merge pull request #143 from kaleido-io/vuln-checks
f957c67 
adding high/critical severity vuln checks
@dependabot
Bump express and @nestjs/platform-express
9b47179 
Bumps [express](https://github.com/expressjs/express) to 4.19.2 and updates ancestor dependency [@nestjs/platform-express](https://github.com/nestjs/nest/tree/HEAD/packages/platform-express). These dependencies need to be updated together.


Updates `express` from 4.18.2 to 4.19.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.18.2...4.19.2)

Updates `@nestjs/platform-express` from 10.3.3 to 10.3.7
- [Release notes](https://github.com/nestjs/nest/releases)
- [Commits](https://github.com/nestjs/nest/commits/v10.3.7/packages/platform-express)

---
updated-dependencies:
- dependency-name: express
  dependency-type: indirect
- dependency-name: "@nestjs/platform-express"
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump undici from 5.28.3 to 5.28.4 in /samples/solidity
521f18c 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.4.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.28.3...v5.28.4)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@nguyer
Merge pull request #150 from hyperledger/dependabot/npm_and_yarn/samp…
8d29f05 
…les/solidity/follow-redirects-1.15.6

Bump follow-redirects from 1.15.5 to 1.15.6 in /samples/solidity
@nguyer
Merge pull request #151 from hyperledger/dependabot/npm_and_yarn/foll…
af86e69 
…ow-redirects-1.15.6

Bump follow-redirects from 1.15.5 to 1.15.6
@nguyer
Merge pull request #152 from hyperledger/dependabot/npm_and_yarn/expr…
6922d8b 
…ess-and-nestjs/platform-express-4.19.2

Bump express and @nestjs/platform-express
@nguyer
Merge pull request #153 from hyperledger/dependabot/npm_and_yarn/samp…
0245ded 
…les/solidity/undici-5.28.4

Bump undici from 5.28.3 to 5.28.4 in /samples/solidity
@alex-semenyuk @nguyer
Update link to ERCWithData contract
456e03c 
Co-authored-by: Nicko Guyer <[email protected]>
Signed-off-by: alexey semenyuk <[email protected]>
@nguyer
Merge pull request #148 from alex-semenyuk/fix_broken_link
97b9d91 
Fix broken url to solidity contract
@Chengxuan Chengxuan merged commit 97b9d91 into kaleido-io:main Apr 12, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@ssmirr @Chengxuan @awrichar @chrisbygrave @matthew1001 @nguyer @shorsher @peterbroadhurst @onelapahead @alex-semenyuk