Merge pull request #2158 from ballerina-platform/update-protobuf-8.x

[2201.8.x] Address `CVE-2024-7254` vulnerability
ballerina-platform · Sep 25, 2024 · a43093d · a43093d
2 parents ab6060a + c374d69
commit a43093d
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 11 deletions.
diff --git a/ballerina/Ballerina.toml b/ballerina/Ballerina.toml
@@ -1,7 +1,7 @@
 [package]
 org = "ballerina"
 name = "http"
-version = "2.10.15"
+version = "2.10.16"
 authors = ["Ballerina"]
 keywords = ["http", "network", "service", "listener", "client"]
 repository = "https://github.com/ballerina-platform/module-ballerina-http"
@@ -16,8 +16,8 @@ graalvmCompatible = true
 [[platform.java17.dependency]]
 groupId = "io.ballerina.stdlib"
 artifactId = "http-native"
-version = "2.10.15"
-path = "../native/build/libs/http-native-2.10.15.jar"
+version = "2.10.16"
+path = "../native/build/libs/http-native-2.10.16-SNAPSHOT.jar"
 
 [[platform.java17.dependency]]
 groupId = "io.ballerina.stdlib"
@@ -169,5 +169,5 @@ path = "./lib/lz4-1.3.0.jar"
 [[platform.java17.dependency]]
 groupId = "com.google.protobufl"
 artifactId = "protobuf-java"
-version = "3.20.3"
-path = "./lib/protobuf-java-3.20.3.jar"
+version = "3.25.5"
+path = "./lib/protobuf-java-3.25.5.jar"
diff --git a/ballerina/CompilerPlugin.toml b/ballerina/CompilerPlugin.toml
@@ -3,4 +3,4 @@ id = "http-compiler-plugin"
 class = "io.ballerina.stdlib.http.compiler.HttpCompilerPlugin"
 
 [[dependency]]
-path = "../compiler-plugin/build/libs/http-compiler-plugin-2.10.15.jar"
+path = "../compiler-plugin/build/libs/http-compiler-plugin-2.10.16-SNAPSHOT.jar"
diff --git a/ballerina/Dependencies.toml b/ballerina/Dependencies.toml
@@ -25,7 +25,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "cache"
-version = "3.7.0"
+version = "3.7.1"
 dependencies = [
 	{org = "ballerina", name = "constraint"},
 	{org = "ballerina", name = "jballerina.java"},
@@ -76,7 +76,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "http"
-version = "2.10.15"
+version = "2.10.16"
 dependencies = [
 	{org = "ballerina", name = "auth"},
 	{org = "ballerina", name = "cache"},
@@ -108,7 +108,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "io"
-version = "1.6.0"
+version = "1.6.1"
 dependencies = [
 	{org = "ballerina", name = "jballerina.java"},
 	{org = "ballerina", name = "lang.value"}
@@ -283,7 +283,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "observe"
-version = "1.2.0"
+version = "1.2.3"
 dependencies = [
 	{org = "ballerina", name = "jballerina.java"}
 ]

diff --git a/changelog.md b/changelog.md
@@ -5,6 +5,12 @@ This file contains all the notable changes done to the Ballerina HTTP package th
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to 
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Fixed
+
+- [Address CVE-2024-7254 vulnerability](https://github.com/ballerina-platform/ballerina-library/issues/7013)
+
 ## [2.10.15] - 2024-07-24
 
 ### Fixed

diff --git a/gradle.properties b/gradle.properties
@@ -21,7 +21,7 @@ mockitoVersion=5.3.1
 gsonVersion=2.7
 lz4Version=1.3.0
 marshallingVersion=2.0.5.Final
-protobufVersion=3.20.3
+protobufVersion=3.25.5
 jacocoVersion=0.8.10
 
 stdlibIoVersion=1.6.0