Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FR: Update nanopb because of security finding #5191

Closed
karlkaminski opened this issue Mar 25, 2020 · 4 comments · Fixed by #4264
Closed

FR: Update nanopb because of security finding #5191

karlkaminski opened this issue Mar 25, 2020 · 4 comments · Fixed by #4264
Assignees
@paulb777
Labels
api: analytics api: firestore type: feature request
Milestone
6.24.0 - M70

Comments

@karlkaminski
Copy link

Feature proposal

  • Firebase Component: Core

In our project we use whitesources to find security issues in the code.
We got an security finding in the nanopb library in the newest firebase 6.21.0
https://nvd.nist.gov/vuln/detail/CVE-2020-5235

Could you please update to a nanopb version that fixed this security issue?

Thank you
@paulb777
Copy link
Member

paulb777 commented Mar 25, 2020
edited

@karlkaminski Thanks for the report. Our nanopb migration is currently pending migrating the Firestore gRPC dependency from a nanopb-dependent version. See #4312.

Once that happens, we'll move the Firebase nanopb version forward.

@paulb777 paulb777 mentioned this issue Apr 1, 2020
Closed
@tereznikov
Copy link

@paulb777 What is approximate estimation for merging #4312?
We also use WhiteSource and saw the issue with the nanopb.

@paulb777
Copy link
Member

paulb777 commented Apr 7, 2020

@tereznikov We don't make commitments about future releases, but will work on the nanopb update in the next month or two."

@paulb777
Copy link
Member

Now that #4312 has landed, I'm going to pick up the nanopb update project again and try to get it into the next release.

@paulb777 paulb777 added this to the M70 milestone Apr 22, 2020
@paulb777 paulb777 self-assigned this Apr 22, 2020
@paulb777 paulb777 mentioned this issue Apr 23, 2020
Merged
@firebase firebase locked and limited conversation to collaborators May 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@paulb777 paulb777

Labels
api: analytics api: firestore type: feature request
Projects
None yet
Milestone
6.24.0 - M70
Development

Successfully merging a pull request may close this issue.

Update nanopb to 0.3.9.5 (CocoaPods 1.30905.0) firebase/firebase-ios-sdk
4 participants
@paulb777 @morganchen12 @tereznikov @karlkaminski