Merge pull request #2156 from ballerina-platform/update-protobuf-9.x

[2201.9.x] Address `CVE-2024-7254` vulnerability
ballerina-platform · Sep 25, 2024 · e4114bd · e4114bd
2 parents 1b94eff + 4b5f1f8
commit e4114bd
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 7 deletions.
diff --git a/.github/workflows/build-with-bal-test-graalvm.yml b/.github/workflows/build-with-bal-test-graalvm.yml
@@ -6,7 +6,7 @@ on:
             lang_tag:
                 description: Branch/Release Tag of the Ballerina Lang
                 required: true
-                default: master
+                default: 2201.9.x
             lang_version:
                 description: Ballerina Lang Version (If given ballerina lang buid will be skipped)
                 required: false
@@ -41,7 +41,7 @@ jobs:
         if: ${{ github.event_name != 'schedule' || (github.event_name == 'schedule' && github.repository_owner == 'ballerina-platform') }}
         uses: ballerina-platform/ballerina-library/.github/workflows/build-with-bal-test-graalvm-template.yml@main
         with:
-            lang_tag: ${{ inputs.lang_tag }}
+            lang_tag: ${{ inputs.lang_tag || '2201.9.x' }}
             lang_version: ${{ inputs.lang_version }}
             native_image_options: '-J-Xmx7G ${{ inputs.native_image_options }}'
             additional_ubuntu_build_flags: '-x :http-native:test -x :http-compiler-plugin-tests:test ${{ inputs.build_properties }}'

diff --git a/ballerina/Ballerina.toml b/ballerina/Ballerina.toml
@@ -169,5 +169,5 @@ path = "./lib/lz4-1.3.0.jar"
 [[platform.java17.dependency]]
 groupId = "com.google.protobufl"
 artifactId = "protobuf-java"
-version = "3.20.3"
-path = "./lib/protobuf-java-3.20.3.jar"
+version = "3.25.5"
+path = "./lib/protobuf-java-3.25.5.jar"
diff --git a/ballerina/Dependencies.toml b/ballerina/Dependencies.toml
@@ -10,7 +10,7 @@ distribution-version = "2201.9.0"
 [[package]]
 org = "ballerina"
 name = "auth"
-version = "2.11.0"
+version = "2.11.2"
 dependencies = [
 	{org = "ballerina", name = "crypto"},
 	{org = "ballerina", name = "jballerina.java"},
@@ -108,7 +108,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "io"
-version = "1.6.0"
+version = "1.6.1"
 dependencies = [
 	{org = "ballerina", name = "jballerina.java"},
 	{org = "ballerina", name = "lang.value"}

diff --git a/changelog.md b/changelog.md
@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Fixed
 
 - [Fix cookie path resolution logic](https://github.com/ballerina-platform/ballerina-library/issues/6788)
+- [Address CVE-2024-7254 vulnerability](https://github.com/ballerina-platform/ballerina-library/issues/7013)
 
 ## [2.11.3] - 2024-07-24
 

diff --git a/gradle.properties b/gradle.properties
@@ -21,7 +21,7 @@ mockitoVersion=5.3.1
 gsonVersion=2.7
 lz4Version=1.3.0
 marshallingVersion=2.0.5.Final
-protobufVersion=3.20.3
+protobufVersion=3.25.5
 jacocoVersion=0.8.10
 
 stdlibIoVersion=1.6.0