Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cactus-connector-besu): mitigate CVE-2022-24434 and CVE-2022-24999 #2241

Closed
wants to merge 1 commit into from
Closed

fix(cactus-connector-besu): mitigate CVE-2022-24434 and CVE-2022-24999 #2241

wants to merge 1 commit into from

Conversation

aldousalvarez
Copy link
Contributor

Fixes #2040

Signed-off-by: aldousalvarez [email protected]

@aldousalvarez
Copy link
Contributor Author

aldousalvarez commented Dec 23, 2022
edited
Loading

Hello @petermetz , Most of the vulnerabilities are now fixed in cactus-plugin-ledger-connector-besu but there are still some that is not yet fixed as you can see here. The only vulnerability (CVE-2022-2421) is still a vulnerability because the latest version of the package that is being used is still the affected version. The changes committed on this PR will fix the 3 out of the 4 remaining vulnerabilities (CVE-2022-24434, CVE-2022-24999, and CVE-2022-24999) once the changes are applied and the new version is released and the packages are updated just like the v1.1 release.

@aldousalvarez aldousalvarez force-pushed the aldousalvarez/issue2040 branch from 03b760d to 67f7c48 Compare December 23, 2022 10:13
petermetz
petermetz requested changes Dec 24, 2022
View reviewed changes
Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aldousalvarez A dozen or so packages have their tests failing so I'm thinking this is probably not a flake but an actual regression. Please fix and then pass it back for review once the tests are passing.

@aldousalvarez aldousalvarez force-pushed the aldousalvarez/issue2040 branch 4 times, most recently from 74ce012 to 6973b08 Compare January 4, 2023 09:38
@aldousalvarez aldousalvarez requested review from petermetz and removed request for sandeepnRES, jagpreetsinghsasan, takeutak and izuru0 January 11, 2023 04:46
@aldousalvarez aldousalvarez force-pushed the aldousalvarez/issue2040 branch from 6973b08 to ce63556 Compare February 1, 2023 06:42
@ruzell22 ruzell22 mentioned this pull request Mar 15, 2023
Merged
petermetz
petermetz requested changes Mar 27, 2023
View reviewed changes
Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aldousalvarez Same here as with the other vulnerability fix PR Of yours, please clarify the CVE ID in the commit subject and PR title and then we should be good to go.

ruzell22 added a commit to ruzell22/cactus that referenced this pull request Mar 28, 2023
@ruzell22
fix(security): vulnerabilities found in cactus-cmd-api-server hyperle…
652b6f2 
…dger-cacti#2039

fixes: hyperledger-cacti#2039

related to: hyperledger-cacti#2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: ruzell22 <[email protected]>
ruzell22 added a commit to ruzell22/cactus that referenced this pull request Mar 28, 2023
@ruzell22
fix(security): vulnerabilities found in cactus-cmd-api-server hyperle…
495098a 
…dger-cacti#2039 - fix CVE-2022-24434 and CVE-2022-24999

fixes: hyperledger-cacti#2039

related to: hyperledger-cacti#2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: ruzell22 <[email protected]>
ruzell22 added a commit to ruzell22/cactus that referenced this pull request Mar 29, 2023
@ruzell22
fix(cmd-api-server): mitigate CVE-2022-24434 and CVE-2022-24999 hyper…
599676c 
…ledger-cacti#2039

fixes: hyperledger-cacti#2039

related to: hyperledger-cacti#2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: ruzell22 <[email protected]>
@aldousalvarez aldousalvarez force-pushed the aldousalvarez/issue2040 branch from ce63556 to c86a61f Compare March 29, 2023 03:19
@aldousalvarez aldousalvarez changed the title fix(security): vulnerabilities found in cactus-connector-besu fix(cactus-connector-besu): mitigate CVE-2022-24434 and CVE-2022-24999 Mar 29, 2023
@aldousalvarez
Copy link
Contributor Author

Hello @petermetz already updated the commit subject and PR title as to your requested changes. Thank you.

@petermetz petermetz self-assigned this Mar 29, 2023
petermetz
petermetz approved these changes Mar 29, 2023
View reviewed changes
Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aldousalvarez Thank you for the updates, LGTM!

ryjones pushed a commit to ruzell22/cactus that referenced this pull request Mar 29, 2023
@ruzell22 @ryjones
fix(cmd-api-server): mitigate CVE-2022-24434 and CVE-2022-24999 hyper…
c06c54f 
…ledger-cacti#2039

fixes: hyperledger-cacti#2039

related to: hyperledger-cacti#2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: ruzell22 <[email protected]>
petermetz pushed a commit to ruzell22/cactus that referenced this pull request Apr 3, 2023
@ruzell22 @petermetz
fix(cmd-api-server): mitigate CVE-2022-24434 and CVE-2022-24999 hyper…
1cc9667 
…ledger-cacti#2039

fixes: hyperledger-cacti#2039

related to: hyperledger-cacti#2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Co-authored-by: Peter Somogyvari <[email protected]>

Signed-off-by: ruzell22 <[email protected]>
Signed-off-by: Peter Somogyvari <[email protected]>
charellesandig pushed a commit to charellesandig/cactus that referenced this pull request Apr 4, 2023
@ruzell22 @charellesandig
fix(cmd-api-server): mitigate CVE-2022-24434 and CVE-2022-24999 hyper…
27a657f 
…ledger-cacti#2039

fixes: hyperledger-cacti#2039

related to: hyperledger-cacti#2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Co-authored-by: Peter Somogyvari <[email protected]>

Signed-off-by: ruzell22 <[email protected]>
Signed-off-by: Peter Somogyvari <[email protected]>
@aldousalvarez
fix(cactus-connector-besu): mitigate CVE-2022-24434 and CVE-2022-24999
6df4b7b 
Fixes hyperledger-cacti#2040

These changes will fix the following
vulnerabilities with their CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Signed-off-by: aldousalvarez <[email protected]>
@aldousalvarez aldousalvarez force-pushed the aldousalvarez/issue2040 branch from 2ffe185 to 6df4b7b Compare April 5, 2023 10:41
@aldousalvarez
Copy link
Contributor Author

Hello @petermetz, After rebasing with the latest commit I have seen that my initial commit was already fixed by the new commits that has been merged so I have no more changes that can be applied.

Initial Commit
ce63556

Merged Commits:
d28d5e8
1cc9667

@aldousalvarez aldousalvarez reopened this Apr 11, 2023
@petermetz
Copy link
Contributor

Hello @petermetz, After rebasing with the latest commit I have seen that my initial commit was already fixed by the new commits that has been merged so I have no more changes that can be applied.

Initial Commit ce63556

Merged Commits: d28d5e8 1cc9667

@aldousalvarez Got it, thank you for double checking! Closing this as redundant then!

@petermetz petermetz closed this Apr 12, 2023
charellesandig pushed a commit to charellesandig/cactus that referenced this pull request Apr 13, 2023
@ruzell22 @charellesandig
fix(cmd-api-server): mitigate CVE-2022-24434 and CVE-2022-24999 hyper…
93e35df 
…ledger-cacti#2039

fixes: hyperledger-cacti#2039

related to: hyperledger-cacti#2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Co-authored-by: Peter Somogyvari <[email protected]>

Signed-off-by: ruzell22 <[email protected]>
Signed-off-by: Peter Somogyvari <[email protected]>
charellesandig pushed a commit to charellesandig/cactus that referenced this pull request Apr 13, 2023
@ruzell22 @charellesandig
fix(cmd-api-server): mitigate CVE-2022-24434 and CVE-2022-24999 hyper…
f56318a 
…ledger-cacti#2039

fixes: hyperledger-cacti#2039

related to: hyperledger-cacti#2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Co-authored-by: Peter Somogyvari <[email protected]>

Signed-off-by: ruzell22 <[email protected]>
Signed-off-by: Peter Somogyvari <[email protected]>
charellesandig pushed a commit to charellesandig/cactus that referenced this pull request Apr 20, 2023
@ruzell22 @charellesandig
fix(cmd-api-server): mitigate CVE-2022-24434 and CVE-2022-24999 hyper…
fc7702f 
…ledger-cacti#2039

fixes: hyperledger-cacti#2039

related to: hyperledger-cacti#2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Co-authored-by: Peter Somogyvari <[email protected]>

Signed-off-by: ruzell22 <[email protected]>
Signed-off-by: Peter Somogyvari <[email protected]>
charellesandig pushed a commit to charellesandig/cactus that referenced this pull request May 2, 2023
@ruzell22 @charellesandig
fix(cmd-api-server): mitigate CVE-2022-24434 and CVE-2022-24999 hyper…
03c81a8 
…ledger-cacti#2039

fixes: hyperledger-cacti#2039

related to: hyperledger-cacti#2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Co-authored-by: Peter Somogyvari <[email protected]>

Signed-off-by: ruzell22 <[email protected]>
Signed-off-by: Peter Somogyvari <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petermetz petermetz petermetz approved these changes

@VRamakrishna VRamakrishna Awaiting requested review from VRamakrishna VRamakrishna is a code owner

@takeutak takeutak Awaiting requested review from takeutak takeutak is a code owner

@izuru0 izuru0 Awaiting requested review from izuru0 izuru0 is a code owner

@sandeepnRES sandeepnRES Awaiting requested review from sandeepnRES sandeepnRES is a code owner

@jagpreetsinghsasan jagpreetsinghsasan Awaiting requested review from jagpreetsinghsasan jagpreetsinghsasan is a code owner

Assignees

@petermetz petermetz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(security): vulnerabilities found in cactus-connector-besu
2 participants
@aldousalvarez @petermetz