Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[close #542] update protobuf version to 3.16.1 #539

Merged
merged 1 commit into from
Feb 28, 2022
Merged

[close #542] update protobuf version to 3.16.1 #539

merged 1 commit into from
Feb 28, 2022

Conversation

marsishandsome
Copy link
Collaborator

@marsishandsome marsishandsome commented Feb 28, 2022
edited
Loading

Signed-off-by: marsishandsome marsishandsome@gmail.com

What problem does this PR solve?

Issue Number: close #542

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

https://nvd.nist.gov/vuln/detail/CVE-2021-22569

What is changed and how it works?

Fix: upgrade protobuf-java from 3.12.0 to 3.16.1

@marsishandsome
update protobuf version to 3.16.1
1a51806 
Signed-off-by: marsishandsome <marsishandsome@gmail.com>
@marsishandsome
Copy link
Collaborator Author

/run-all-tests

@codecov
Copy link

codecov bot commented Feb 28, 2022
edited
Loading

Codecov Report

Merging #539 (1a51806) into master (c75730e) will decrease coverage by 0.05%.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##             master     #539      +/-   ##
============================================
- Coverage     32.01%   31.95%   -0.06%     
- Complexity     1310     1313       +3     
============================================
  Files           278      278              
  Lines         17344    17344              
  Branches       1975     1975              
============================================
- Hits           5552     5542      -10     
- Misses        11170    11181      +11     
+ Partials        622      621       -1
Impacted Files Coverage Δ
...rc/main/java/io/grpc/netty/NettyClientHandler.java 56.68% <0.00%> (-5.39%) ⬇️
...java/org/tikv/common/region/RegionStoreClient.java 48.15% <0.00%> (+0.30%) ⬆️
...va/org/tikv/common/region/StoreHealthyChecker.java 64.47% <0.00%> (+1.31%) ⬆️
...ty/handler/codec/http2/Http2ConnectionHandler.java 52.07% <0.00%> (+2.20%) ⬆️
src/main/java/io/grpc/netty/WriteQueue.java 76.69% <0.00%> (+2.25%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c75730e...1a51806. Read the comment docs.

@zz-jason
Copy link
Member

what problem do you wish to solve by updating the protobuf version?

@marsishandsome
Copy link
Collaborator Author

what problem do you wish to solve by updating the protobuf version?

https://nvd.nist.gov/vuln/detail/CVE-2021-22569

@marsishandsome marsishandsome changed the title [WIP] update protobuf version to 3.16.1 [close #542] update protobuf version to 3.16.1 Feb 28, 2022
@marsishandsome
Copy link
Collaborator Author

@zz-jason @iosmanthus PTAL

iosmanthus
iosmanthus approved these changes Feb 28, 2022
View reviewed changes
Copy link
Member

@iosmanthus iosmanthus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

zz-jason
zz-jason approved these changes Feb 28, 2022
View reviewed changes
Copy link
Member

@zz-jason zz-jason left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zz-jason zz-jason merged commit 36feccb into tikv:master Feb 28, 2022
ti-srebot pushed a commit to ti-srebot/client-java that referenced this pull request Feb 28, 2022
@marsishandsome @ti-srebot
cherry pick tikv#539 to release-3.1
00bf318 
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
@ti-srebot ti-srebot mentioned this pull request Feb 28, 2022
Merged
@ti-srebot
Copy link
Collaborator

cherry pick to release-3.1 in PR #543

@ti-srebot ti-srebot mentioned this pull request Feb 28, 2022
Merged
@ti-srebot
Copy link
Collaborator

cherry pick to release-3.2 in PR #544

ti-srebot pushed a commit to ti-srebot/client-java that referenced this pull request Feb 28, 2022
@marsishandsome @ti-srebot
cherry pick tikv#539 to release-3.2
8c4991b 
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
marsishandsome added a commit that referenced this pull request Mar 1, 2022
@ti-srebot @marsishandsome
cherry pick #539 to release-3.1 (#543)
fdb67bc 
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>

Co-authored-by: Liangliang Gu <marsishandsome@gmail.com>
marsishandsome added a commit that referenced this pull request Mar 1, 2022
@ti-srebot @marsishandsome
cherry pick #539 to release-3.2 (#544)
80cf825 
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>

Co-authored-by: Liangliang Gu <marsishandsome@gmail.com>
shiyuhang0 pushed a commit to shiyuhang0/client-java that referenced this pull request Mar 1, 2022
@marsishandsome @shiyuhang0
[close tikv#542] update protobuf version to 3.16.1 (tikv#539)
f53c873 
Signed-off-by: shiyuhang <1136742008@qq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zz-jason zz-jason zz-jason approved these changes

@iosmanthus iosmanthus iosmanthus approved these changes

@ti-srebot ti-srebot ti-srebot approved these changes

Assignees
No one assigned
Labels
status/LGT2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2021-22569: protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields
4 participants
@marsishandsome @zz-jason @ti-srebot @iosmanthus