Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GRPC Uses Outdated Version Of protobuf-java #9264

Closed
mr1716 opened this issue Jun 12, 2022 · 3 comments · Fixed by #9311
Closed

GRPC Uses Outdated Version Of protobuf-java #9264

mr1716 opened this issue Jun 12, 2022 · 3 comments · Fixed by #9311
Milestone
1.48

Comments

@mr1716
Copy link

mr1716 commented Jun 12, 2022

What version of gRPC-Java are you using?

1.47.0

It looks like the version of protobuf-java used is outdated. It is version 3.19.2, and there are versions 3.19.4, 3.20.0, 3.20.1, 3.20.0, and 3.20.1 available that dont have vulnerabilities. Would it be possible to upgrade to one of these versions?
@ejona86
Copy link
Member

ejona86 commented Jun 13, 2022

What vulnerability is in protobuf-java 3.19.2? 3.19.3 and 3.19.4 didn't have any Java changes.

You are always able to upgrade the version of our dependencies (except for netty). So even in the case of a vulnerability in protobuf you don't have to wait for us. We do updates to help the ecosystem stop using the vulnerable version, though.

@mr1716
Copy link
Author

mr1716 commented Jun 13, 2022

@ejona86 I am just offering options to use. I am not the most familiar with the tool and which options would be best

@ejona86
Copy link
Member

ejona86 commented Jun 13, 2022

Is there a problem you are experiencing? Upgrading protobuf isn't a one-line change, but we do try to do it regularly.

@ejona86 ejona86 changed the title GRPC Uses Outdated And Vulnerable Version Of protobuf-java GRPC Uses Outdated Version Of protobuf-java Jun 16, 2022
@ejona86 ejona86 added this to the Next milestone Jun 24, 2022
ejona86 added a commit to ejona86/grpc-java that referenced this issue Jun 24, 2022
@ejona86
Bump protobuf to 3.21.1
0e0a189 
Fixes grpc#9264
@ejona86 ejona86 mentioned this issue Jun 24, 2022
Merged
ejona86 added a commit to ejona86/grpc-java that referenced this issue Jun 24, 2022
@ejona86
Bump protobuf to 3.21.1
a1899cc 
Fixes grpc#9264
ejona86 added a commit that referenced this issue Jun 30, 2022
@ejona86
Bump protobuf to 3.21.1 (#9311)
c079028 
Fixes #9264
ejona86 added a commit to ejona86/grpc-java that referenced this issue Jun 30, 2022
@ejona86
Bump protobuf to 3.21.1 (grpc#9311)
c46972d 
Fixes grpc#9264
@ejona86 ejona86 mentioned this issue Jun 30, 2022
Merged
ejona86 added a commit that referenced this issue Jul 7, 2022
@ejona86
Bump protobuf to 3.21.1 (#9311)
bc4b1ca 
Fixes #9264
@ejona86 ejona86 modified the milestones: Next, 1.48 Jul 22, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.48
Development

Successfully merging a pull request may close this issue.

Bump protobuf to 3.21.1 ejona86/grpc-java
2 participants
@ejona86 @mr1716