Skip to content

Conversation

@daymxn
Copy link
Member

@daymxn daymxn commented Oct 3, 2024

Per b/371058443,

This bumps our protobuf deps to 3.25.5 to address CVE 2024-7254.

All relevant libraries should have a changelog attached, unless I missed any.

This PR also fixes the following:

  • b/371223043 -> Migrate protobuf deps to version catalog

Fixes #6336

@daymxn daymxn self-assigned this Oct 3, 2024
@github-actions
Copy link
Contributor

github-actions bot commented Oct 3, 2024

Release note changes

The following release notes were modified. Please ensure they look correct.

Release Notes
firebase-config
### {{remote_config}} version 22.0.1 {: #remote-config_v22-0-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{remote_config}} Kotlin extensions version 22.0.1 {: #remote-config-ktx_v22-0-1}

The Kotlin extensions library transitively includes the updated
`firebase-config` library. The Kotlin extensions library has no additional
updates.
firebase-crashlytics
### {{crashlytics}} version 19.2.1 {: #crashlytics_v19-2-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{crashlytics}} Kotlin extensions version 19.2.1 {: #crashlytics-ktx_v19-2-1}

The Kotlin extensions library transitively includes the updated
`firebase-crashlytics` library. The Kotlin extensions library has no additional
updates.
firebase-dataconnect
### {{firebase_data_connect}} version 16.0.0-beta02 {: #dataconnect_v16-0-0-beta02}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
firebase-firestore
### {{firestore}} version 25.1.1 {: #firestore_v25-1-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{firestore}} Kotlin extensions version 25.1.1 {: #firestore-ktx_v25-1-1}

The Kotlin extensions library transitively includes the updated
`firebase-firestore` library. The Kotlin extensions library has no additional
updates.
firebase-inappmessaging-display
### {{inappmessaging}} Display version 21.0.1 {: #inappmessaging-display_v21-0-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{inappmessaging}} Display Kotlin extensions version 21.0.1 {: #inappmessaging-display-ktx_v21-0-1}

The Kotlin extensions library transitively includes the updated
`firebase-inappmessaging-display` library. The Kotlin extensions library has no additional
updates.
firebase-inappmessaging
### {{inappmessaging}} version 21.0.1 {: #inappmessaging_v21-0-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{inappmessaging}} Kotlin extensions version 21.0.1 {: #inappmessaging-ktx_v21-0-1}

The Kotlin extensions library transitively includes the updated
`firebase-inappmessaging` library. The Kotlin extensions library has no additional
updates.
firebase-messaging
### {{messaging_longer}} version 24.0.3 {: #messaging_v24-0-3}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{messaging_longer}} Kotlin extensions version 24.0.3 {: #messaging-ktx_v24-0-3}

The Kotlin extensions library transitively includes the updated
`firebase-messaging` library. The Kotlin extensions library has no additional
updates.
firebase-ml-modeldownloader
### {{firebase_ml}} version 25.0.1 {: #firebaseml-modeldownloader_v25-0-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{firebase_ml}} Kotlin extensions version 25.0.1 {: #firebaseml-modeldownloader-ktx_v25-0-1}

The Kotlin extensions library transitively includes the updated
`firebase-ml-modeldownloader` library. The Kotlin extensions library has no additional
updates.
firebase-perf
### {{perfmon}} version 21.0.2 {: #performance_v21-0-2}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{perfmon}} Kotlin extensions version 21.0.2 {: #performance-ktx_v21-0-2}

The Kotlin extensions library transitively includes the updated
`firebase-perf` library. The Kotlin extensions library has no additional
updates.

The following had changelogs that were modified, but did not have any unreleased entries for release notes to generate from.

Changelogs

encoders:firebase-encoders-proto
transport:transport-backend-cct
transport:transport-runtime

@github-actions
Copy link
Contributor

github-actions bot commented Oct 3, 2024

Unit Test Results

  1 018 files  ±0    1 018 suites  ±0   37m 15s ⏱️ +12s
  5 805 tests ±0    5 783 ✔️ ±0  22 💤 ±0  0 ±0 
11 695 runs  ±0  11 651 ✔️ ±0  44 💤 ±0  0 ±0 

Results for commit 06da479. ± Comparison against base commit 7083c1d.

♻️ This comment has been updated with latest results.

@daymxn daymxn requested a review from rlazo October 4, 2024 17:23
@github-actions
Copy link
Contributor

github-actions bot commented Oct 4, 2024

Test Results

 1 022 files  +   974   1 022 suites  +974   36m 13s ⏱️ + 34m 47s
 5 809 tests + 5 331   5 787 ✅ + 5 310  22 💤 +21  0 ❌ ±0 
11 703 runs  +10 747  11 659 ✅ +10 705  44 💤 +42  0 ❌ ±0 

Results for commit 4881b82. ± Comparison against base commit b49d448.

♻️ This comment has been updated with latest results.

rlazo and others added 7 commits October 7, 2024 10:45
@daymxn daymxn merged commit 065c732 into main Oct 10, 2024
258 of 260 checks passed
@daymxn daymxn deleted the daymon-bump-protobuf branch October 10, 2024 18:25
@daymxn daymxn mentioned this pull request Oct 14, 2024
daymxn added a commit that referenced this pull request Oct 15, 2024
Per [b/373458620](https://b.corp.google.com/issues/373458620),

This PR adds changelogs that were missing from #6343; due to library
groups.
@rlazo rlazo mentioned this pull request Oct 30, 2024
@firebase firebase locked and limited conversation to collaborators Nov 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

protobuf-javalite version 3.21.11 contains a high-severity CVE

3 participants