Hey team,
Several of the dependencies pulled in by the dataplane library that are used to build, test, or otherwise execute as part of the B&A or KV build process currently include known vulnerabilities. While these are low-risk given the nature of the libraries usage and tools in the build process there are patches and fixes in these dependencies available.
We have created PRs to aide with easy to review/merge patches to bump these dependencies while validating existing functionality still builds and runs along with checked in test coverage. Can you please review/merge these PRs and merge or add comments as appropriate? We are happy address any feedback in a timely manner or change the approach if it is desired. If you have guidance/insight into how better to contribute or where pain points may be in accepting contributions from developers already covered by a Google CLA please advise.
Open PRs with Fixes:
privacysandbox/data-plane-shared-libraries#12
Fixes CVE-2024-41110 - https://nvd.nist.gov/vuln/detail/CVE-2024-41110
privacysandbox/data-plane-shared-libraries#13
Fixes CVE-2023-36665 - https://nvd.nist.gov/vuln/detail/CVE-2023-36665
privacysandbox/data-plane-shared-libraries#14
Fixes CVE-2024-41110 - https://nvd.nist.gov/vuln/detail/CVE-2024-41110
CC: @chatterjee-priyanka @michaelkleber
Thanks!
Hey team,
Several of the dependencies pulled in by the dataplane library that are used to build, test, or otherwise execute as part of the B&A or KV build process currently include known vulnerabilities. While these are low-risk given the nature of the libraries usage and tools in the build process there are patches and fixes in these dependencies available.
We have created PRs to aide with easy to review/merge patches to bump these dependencies while validating existing functionality still builds and runs along with checked in test coverage. Can you please review/merge these PRs and merge or add comments as appropriate? We are happy address any feedback in a timely manner or change the approach if it is desired. If you have guidance/insight into how better to contribute or where pain points may be in accepting contributions from developers already covered by a Google CLA please advise.
Open PRs with Fixes:
privacysandbox/data-plane-shared-libraries#12
Fixes CVE-2024-41110 - https://nvd.nist.gov/vuln/detail/CVE-2024-41110
privacysandbox/data-plane-shared-libraries#13
Fixes CVE-2023-36665 - https://nvd.nist.gov/vuln/detail/CVE-2023-36665
privacysandbox/data-plane-shared-libraries#14
Fixes CVE-2024-41110 - https://nvd.nist.gov/vuln/detail/CVE-2024-41110
CC: @chatterjee-priyanka @michaelkleber
Thanks!