Protobuf with potential Denial of Service (CVE-2024-7254)
sbt-protobuf 0.8.1 updates protobuf-java library to 3.25.5 to address CVE-2024-7254 / GHSA-735f-pc8j-v9w8, which states that while parsing unknown fields in the Protobuf Java library, a maliciously crafted message can cause a StackOverflow error.
- Update protobuf-java to 3.25.5 by @scala-steward-bot in #200
behind the scene
- refactor: Use string interpolation instead of
formatmethod by @xuwei-k in #207 - deps: Update scala-library to 2.12.20 by @scala-steward-bot in #197
- ci: Update sbt, scripted-plugin to 1.10.3 by @scala-steward-bot in #208
- ci: Update sbt-ci-release to 1.8.0 by @scala-steward-bot in #205
- ci: Pin protobuf-java to 3.x for now by @eed3si9n in #209
- ci: Add setup-sbt by @eed3si9n in #206
- ci: Update sbt-nocomma to 0.1.2 by @scala-steward-bot in #203
Full Changelog: v0.8.0...v0.8.1
Contributors
eed3si9n, xuwei-k, and scala-steward-bot