CVE-2015-5237 in protobuf #392
Comments
|
Since this dependency doesn’t get used in production mode but only during build time and development runtime I’d say not affected
…Sent from my iPhone
On Oct 10, 2018, at 6:35 AM, Robert Oschwald ***@***.***> wrote:
grails-asset-pipeline 2.14.1.1 uses closure-compiler-unshaded:v20160713, which has a dependency to protobuf-2.5.0. This got CVE-2015-5237.
This CVE was fixed in protobuf-3.4.0 which we can't use, as closure-compiler-unshaded:v20170806 is the last version for Java7.
So question is: Is grails-asset-pipeline affected by the buffer overflow flaw in protobuf? If not, maybe a note in the README would be great.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
At leased it gets bundled in the war file. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
grails-asset-pipeline 2.14.1.1 uses closure-compiler-unshaded:v20160713, which has a dependency to protobuf-2.5.0. This got CVE-2015-5237.
This CVE was fixed in protobuf-3.4.0 which we can't use, as closure-compiler-unshaded:v20170806 is the last version for Java7.
So question is: Is grails-asset-pipeline affected by the buffer overflow flaw in protobuf? If not, maybe a note in the README would be great.
The text was updated successfully, but these errors were encountered: