fix(cactus-connector-besu): mitigate CVE-2022-24434 and CVE-2022-24999 #2241
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aldousalvarez
requested review from
petermetz,
takeutak,
izuru0,
jagpreetsinghsasan and
sandeepnRES
as code owners
|
Hello @petermetz , Most of the vulnerabilities are now fixed in cactus-plugin-ledger-connector-besu but there are still some that is not yet fixed as you can see here. The only vulnerability (CVE-2022-2421) is still a vulnerability because the latest version of the package that is being used is still the affected version. The changes committed on this PR will fix the 3 out of the 4 remaining vulnerabilities (CVE-2022-24434, CVE-2022-24999, and CVE-2022-24999) once the changes are applied and the new version is released and the packages are updated just like the v1.1 release. |
aldousalvarez
force-pushed
the
aldousalvarez/issue2040
branch
from
03b760d
to
67f7c48
Compare
petermetz
requested changes
Dec 24, 2022
There was a problem hiding this comment.
@aldousalvarez A dozen or so packages have their tests failing so I'm thinking this is probably not a flake but an actual regression. Please fix and then pass it back for review once the tests are passing.
aldousalvarez
force-pushed
the
aldousalvarez/issue2040
branch
4 times, most recently
from
74ce012
to
6973b08
Compare
aldousalvarez
requested review from
petermetz
and removed request for
sandeepnRES,
jagpreetsinghsasan,
takeutak and
izuru0
aldousalvarez
force-pushed
the
aldousalvarez/issue2040
branch
from
6973b08
to
ce63556
Compare
petermetz
requested changes
Mar 27, 2023
There was a problem hiding this comment.
@aldousalvarez Same here as with the other vulnerability fix PR Of yours, please clarify the CVE ID in the commit subject and PR title and then we should be good to go.
ruzell22
added a commit
to ruzell22/cactus
that referenced
this pull request
Mar 28, 2023
…dger#2039 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com>
ruzell22
added a commit
to ruzell22/cactus
that referenced
this pull request
Mar 28, 2023
…dger#2039 - fix CVE-2022-24434 and CVE-2022-24999 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com>
ruzell22
added a commit
to ruzell22/cactus
that referenced
this pull request
Mar 29, 2023
…ledger#2039 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com>
aldousalvarez
force-pushed
the
aldousalvarez/issue2040
branch
from
ce63556
to
c86a61f
Compare
aldousalvarez
changed the title
|
Hello @petermetz already updated the commit subject and PR title as to your requested changes. Thank you. |
petermetz
approved these changes
Mar 29, 2023
ryjones
pushed a commit
to ruzell22/cactus
that referenced
this pull request
Mar 29, 2023
…ledger#2039 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com>
petermetz
pushed a commit
to ruzell22/cactus
that referenced
this pull request
Apr 3, 2023
…ledger#2039 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Co-authored-by: Peter Somogyvari <peter.somogyvari@accenture.com> Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com> Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
charellesandig
pushed a commit
to charellesandig/cactus
that referenced
this pull request
Apr 4, 2023
…ledger#2039 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Co-authored-by: Peter Somogyvari <peter.somogyvari@accenture.com> Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com> Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Fixes hyperledger#2040 These changes will fix the following vulnerabilities with their CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez
force-pushed
the
aldousalvarez/issue2040
branch
from
2ffe185
to
6df4b7b
Compare
|
Hello @petermetz, After rebasing with the latest commit I have seen that my initial commit was already fixed by the new commits that has been merged so I have no more changes that can be applied. Initial Commit |
@aldousalvarez Got it, thank you for double checking! Closing this as redundant then! |
charellesandig
pushed a commit
to charellesandig/cactus
that referenced
this pull request
Apr 13, 2023
…ledger#2039 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Co-authored-by: Peter Somogyvari <peter.somogyvari@accenture.com> Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com> Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
charellesandig
pushed a commit
to charellesandig/cactus
that referenced
this pull request
Apr 13, 2023
…ledger#2039 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Co-authored-by: Peter Somogyvari <peter.somogyvari@accenture.com> Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com> Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
charellesandig
pushed a commit
to charellesandig/cactus
that referenced
this pull request
Apr 20, 2023
…ledger#2039 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Co-authored-by: Peter Somogyvari <peter.somogyvari@accenture.com> Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com> Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
charellesandig
pushed a commit
to charellesandig/cactus
that referenced
this pull request
May 2, 2023
…ledger#2039 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Co-authored-by: Peter Somogyvari <peter.somogyvari@accenture.com> Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com> Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #2040
Signed-off-by: aldousalvarez aldousss.alvarez@gmail.com