Skip to content

Vulnerability with prost (a libp2p dependency) #2443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
paulhauner opened this issue Jul 9, 2021 · 2 comments
Closed

Vulnerability with prost (a libp2p dependency) #2443

paulhauner opened this issue Jul 9, 2021 · 2 comments
Labels
blocked security v1.5.0 For inclusion in v1.5.0 release

Comments

@paulhauner
Copy link
Member

Description

In #2436 I've ignored the following cargo audit vuln: https://github.com/libp2p/rust-libp2p/blob/master/core/Cargo.toml

We need to upgrade to prost >= 0.8.0 to resolve this vuln, however lip2p is still on 0.7: https://github.com/libp2p/rust-libp2p/blob/master/core/Cargo.toml

Steps to resolve

  1. Wait for libp2p to update.
  2. Remove the ignore from CI.
@mxinden
Copy link

mxinden commented Aug 9, 2021

@paulhauner rust-libp2p v0.39.1 uses prost v0.8:

https://github.com/libp2p/rust-libp2p/blob/b814231251a707f8efdff6b4a74019a7635ac470/core/Cargo.toml#L28

@paulhauner paulhauner added the v1.5.0 For inclusion in v1.5.0 release label Aug 9, 2021
@paulhauner paulhauner mentioned this issue Aug 12, 2021
Closed
bors bot pushed a commit that referenced this issue Aug 12, 2021
@paulhauner
Bump libp2p to address inconsistency in mesh peer tracking (#2493)
4af6fcf 
## Issue Addressed

- Resolves #2457
- Resolves #2443

## Proposed Changes

Target the (presently unreleased) head of `libp2p/rust-libp2p:master` in order to obtain the fix from libp2p/rust-libp2p#2175.

Additionally:

- `libsecp256k1` needed to be upgraded to satisfy the new version of `libp2p`.
- There were also a handful of minor changes to `eth2_libp2p` to suit some interface changes.
- Two `cargo audit --ignore` flags were remove due to libp2p upgrades.

## Additional Info
 
 NA
@paulhauner
Copy link
Member Author

Resolved via #2493

pawanjay176 pushed a commit to pawanjay176/lighthouse that referenced this issue Aug 27, 2021
@paulhauner @pawanjay176
Bump libp2p to address inconsistency in mesh peer tracking (sigp#2493)
b3fe09d 
## Issue Addressed

- Resolves sigp#2457
- Resolves sigp#2443

## Proposed Changes

Target the (presently unreleased) head of `libp2p/rust-libp2p:master` in order to obtain the fix from libp2p/rust-libp2p#2175.

Additionally:

- `libsecp256k1` needed to be upgraded to satisfy the new version of `libp2p`.
- There were also a handful of minor changes to `eth2_libp2p` to suit some interface changes.
- Two `cargo audit --ignore` flags were remove due to libp2p upgrades.

## Additional Info
 
 NA
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked security v1.5.0 For inclusion in v1.5.0 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulhauner @mxinden