Skip to content

optimize: upgrade protobuf version from 3.25.4 to 3.25.5#7202

Merged
funky-eyes merged 5 commits intoapache:2.xfrom
s-ramyalakshmi:fix-dos-issue
Mar 12, 2025
Merged

optimize: upgrade protobuf version from 3.25.4 to 3.25.5#7202
funky-eyes merged 5 commits intoapache:2.xfrom
s-ramyalakshmi:fix-dos-issue

Conversation

@s-ramyalakshmi
Copy link
Contributor

@s-ramyalakshmi s-ramyalakshmi commented Mar 11, 2025

  • I have registered the PR changes.

Ⅰ. Describe what this PR did

Resolved potential Denial of Service issue of protobuf-java by upgrading the version from 3.25.4 to 3.25.5.

Ⅱ. Does this pull request fix one issue?

fixes #7201

Ⅲ. Why don't you add test cases (unit test/integration test)?

N/A

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

@funky-eyes funky-eyes added first-time contributor first-time contributor dependencies Pull requests that update a dependency file labels Mar 11, 2025
funky-eyes
funky-eyes reviewed Mar 11, 2025
View reviewed changes
changes/en-us/2.x.md Outdated
- [[#7150](https://github.com/apache/incubator-seata/pull/7150)] The time difference between the raft node and the follower node cannot synchronize data
- [[#7102](https://github.com/apache/incubator-seata/pull/7150)] bugfix: modify XA mode pre commit transaction from commit phase to before close phase
- [[#7188](https://github.com/apache/incubator-seata/pull/7188)] bugfix: Fix missing branchType in BusinessActionContext
- [[#7201](https://github.com/apache/incubator-seata/issues/7201)] bugfix: update protobuf.version from 3.25.4 to 3.25.5 to resolve potential DoS issue
Copy link
Contributor

@funky-eyes funky-eyes Mar 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this PR belongs to the security category. What do you think?
Thanks to these contributors for their code commits. Please report an unintended omission.

Copy link
Contributor Author

@s-ramyalakshmi s-ramyalakshmi Mar 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that makes sense. I have updated the change log

Copy link
Member

@YongGoose YongGoose Mar 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO, @funky-eyes ’ suggestion makes sense.

@s-ramyalakshmi
please add changes in below file too :)
https://github.com/apache/incubator-seata/blob/2.x/changes/zh-cn/2.x.md

Copy link
Contributor Author

@s-ramyalakshmi s-ramyalakshmi Mar 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@YongGoose Thanks for letting me know. I have added changes to zh-cn folder as well.

YongGoose
YongGoose approved these changes Mar 11, 2025
View reviewed changes
Copy link
Member

@YongGoose YongGoose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM👍

xingfudeshi
xingfudeshi approved these changes Mar 11, 2025
View reviewed changes
Copy link
Member

@xingfudeshi xingfudeshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codecov
Copy link

codecov bot commented Mar 11, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 51.66%. Comparing base (151ea4f) to head (f15ae90).

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##                2.x    #7202      +/-   ##
============================================
- Coverage     51.69%   51.66%   -0.03%     
+ Complexity     6841     6837       -4     
============================================
  Files          1169     1169              
  Lines         41585    41585              
  Branches       4871     4871              
============================================
- Hits          21496    21486      -10     
- Misses        18041    18050       +9     
- Partials       2048     2049       +1

see 4 files with indirect coverage changes

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

funky-eyes
funky-eyes reviewed Mar 11, 2025
View reviewed changes
slievrly
slievrly approved these changes Mar 11, 2025
View reviewed changes
Copy link
Member

@slievrly slievrly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution! It's great to see Seata becoming a global open source community.

@slievrly slievrly changed the title bugfix: update protobuf.version from 3.25.4 to 3.25.5 to resolve potential DoS issue optimize: upgrade protobuf version from 3.25.4 to 3.25.5 Mar 11, 2025
@s-ramyalakshmi
Copy link
Contributor Author

s-ramyalakshmi commented Mar 11, 2025

Hi, Would rebuilding help in passing the check?

funky-eyes
funky-eyes approved these changes Mar 12, 2025
View reviewed changes
Copy link
Contributor

@funky-eyes funky-eyes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@funky-eyes
Copy link
Contributor

funky-eyes commented Mar 12, 2025

If you're using the DingTalk app, please send your DingTalk account to my email at jianbin@apache.org, and I will invite you to join the Seata developer group

@funky-eyes funky-eyes merged commit ca270a7 into apache:2.x Mar 12, 2025
7 checks passed
@s-ramyalakshmi
Copy link
Contributor Author

s-ramyalakshmi commented Mar 13, 2025

If you're using the DingTalk app, please send your DingTalk account to my email at jianbin@apache.org, and I will invite you to join the Seata developer group

I have sent you an email. Thank you!

@slievrly slievrly added this to the 2.4.0 milestone Mar 15, 2025
@funky-eyes
Copy link
Contributor

funky-eyes commented Jun 13, 2025

If you're using the DingTalk app, please send your DingTalk account to my email at jianbin@apache.org, and I will invite you to join the Seata developer group

I have sent you an email. Thank you!

I apologize for the late reply, but I've searched through my inbox and couldn't find any email from you. I'm quite confused about this. Would you mind sending the email again?

slievrly pushed a commit to slievrly/fescar that referenced this pull request Oct 21, 2025
@s-ramyalakshmi
optimize: upgrade protobuf version from 3.25.4 to 3.25.5 (apache#7202)
9ad8c95
YvCeung pushed a commit to YvCeung/incubator-seata that referenced this pull request Dec 25, 2025
@s-ramyalakshmi
optimize: upgrade protobuf version from 3.25.4 to 3.25.5 (apache#7202)
2bdfe00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slievrly slievrly slievrly approved these changes

@funky-eyes funky-eyes funky-eyes approved these changes

@xingfudeshi xingfudeshi xingfudeshi approved these changes

@YongGoose YongGoose YongGoose approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file first-time contributor first-time contributor

Projects

None yet

Milestone

2.4.0

Development

Successfully merging this pull request may close these issues.

protobuf-java 3.25.4 has a CVE

5 participants

@s-ramyalakshmi @funky-eyes @slievrly @xingfudeshi @YongGoose