Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities referenced in version 7 #1798

Open
OODesigns opened this issue Feb 7, 2024 · 7 comments
Open

Vulnerabilities referenced in version 7 #1798

OODesigns opened this issue Feb 7, 2024 · 7 comments

Comments

@OODesigns
Copy link

Hi
Looking @ version 7 and there are two Vulnerabilities

Vulnerabilities from dependencies:
CVE-2023-2976
CVE-2020-8908

Can these be addressed?
talks about "access to the machine". I always assume if that is the case you are already Vulnerable.

@andrejgasteovski
Copy link

This problem was resolved more than one year ago, when dependabot updated the Guava version to 32.0.0-jre. Currently, on master it's 33.0.0-jre, but there's still not a new Guice version.

@TehBrian
Copy link

Are there any plans for a small release (7.0.1 or 7.1.0) to bump insecure dependencies?

@winne42
Copy link

winne42 commented Aug 19, 2024

Hey @sameb , @mcculls , @cpovirk et al., I am also very interested in a "maintenance release" with CVE-free dependencies. Any change we get a 7.0.1 or 7.1.0 release soon?

@andrejgasteovski
Copy link

Hi,

You should be able to solve the problem by overriding the Guava version used by Guice. Exclude the Guava dependency from Guice using and then add a separate Guava dependency with a version that does not have vulnerabilities.

@winne42
Copy link

winne42 commented Aug 19, 2024

@andrejgasteovski Yes, this is our current workaround. But it is still additional effort that needs to be done by all users of Guice and in my particular case in a regulated environment this measure also has a paper trail...

@TehBrian
Copy link

@andrejgasteovski I agree with @winne42. The cost of releasing a new version seems small to me relative to that of requiring every single project using Guice (dozens of thousands) to configure their build tool to override a dependency.

@cfrank
Copy link

cfrank commented Sep 25, 2024

Workaround as discussed in the thread above:

gradle/libs.versions.toml

[versions]
guava = { strictly = "33.3.1-jre" }
guice  = "7.0.0"

[libraries]
guava = { module = "com.google.guava:guava", version.ref = "guava" }
guice = { module = "com.google.inject:guice", version.ref = "guice" }

But agree with the general sentiment shared above that a patch version of guice would be a more user friendly way to solve this issue.

cfrank added a commit to Open592/file-server that referenced this issue Sep 25, 2024
ref: google/guice#1798

Signed-off-by: Open592 Developer <uss@open592.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants