You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tuweni.apache.org by Stefan Pingel <st...@consensys.net.INVALID> on 2022/03/02 06:59:37 UTC

CVE-2018-18928

Hi Devs,
a user of Hyperledger Besu notified us that one of the dependencies of
Tuweni (tuweni-toml) uses icu4j version 61.1, which has a vulnerability (
CVE-2018-18928). The tuweni dependency is antlr4 version 4.7.1. antlr4
version 4.9.3 is available (
https://mvnrepository.com/artifact/org.antlr/antlr4/4.9.3) which uses a
newer version of icu4j.
Would it be possible to get this updated and released please?

Thank you,
Stefan

Senior Protocol Engineer

stefan.pingel@consensys.net | Brisbane, Australia
We're Hiring <https://grnh.se/1f9e9cdf1us> |
https://www.linkedin.com/in/stefan-pingel//

Re: CVE-2018-18928

Posted by Antoine Toulme <an...@toulme.name>.

Sure, please open an issue on https://github.com/apache/incubator-tuweni/issues <https://github.com/apache/incubator-tuweni/issues> and send a patch.

Cheers!

Antoine

> On Mar 1, 2022, at 10:59 PM, Stefan Pingel <st...@consensys.net.INVALID> wrote:
> 
> Hi Devs,
> a user of Hyperledger Besu notified us that one of the dependencies of
> Tuweni (tuweni-toml) uses icu4j version 61.1, which has a vulnerability (
> CVE-2018-18928). The tuweni dependency is antlr4 version 4.7.1. antlr4
> version 4.9.3 is available (
> https://mvnrepository.com/artifact/org.antlr/antlr4/4.9.3) which uses a
> newer version of icu4j.
> Would it be possible to get this updated and released please?
> 
> Thank you,
> Stefan
> 
> Senior Protocol Engineer
> 
> stefan.pingel@consensys.net | Brisbane, Australia
> We're Hiring <https://grnh.se/1f9e9cdf1us> |
> https://www.linkedin.com/in/stefan-pingel//

Fwd: CVE-2018-18928

Posted by Stefan Pingel <st...@consensys.net.INVALID>.

Hi Devs,
I have a created an Issue (
https://github.com/apache/incubator-tuweni/issues/373) and a PR (
https://github.com/apache/incubator-tuweni/pull/374) to fix the issue.
I'd really appreciate if we could merge that PR and then create a patch
release to get that fixed.

Thank you, Stefan

Senior Protocol Engineer

stefan.pingel@consensys.net | Brisbane, Australia
We're Hiring <https://grnh.se/1f9e9cdf1us> |
https://www.linkedin.com/in/stefan-pingel//


---------- Forwarded message ---------
From: Stefan Pingel <st...@consensys.net>
Date: Wed, Mar 2, 2022 at 4:59 PM
Subject: CVE-2018-18928
To: <de...@tuweni.apache.org>


Hi Devs,
a user of Hyperledger Besu notified us that one of the dependencies of
Tuweni (tuweni-toml) uses icu4j version 61.1, which has a vulnerability (
CVE-2018-18928). The tuweni dependency is antlr4 version 4.7.1. antlr4
version 4.9.3 is available (
https://mvnrepository.com/artifact/org.antlr/antlr4/4.9.3) which uses a
newer version of icu4j.
Would it be possible to get this updated and released please?

Thank you,
Stefan

Senior Protocol Engineer

stefan.pingel@consensys.net | Brisbane, Australia
We're Hiring <https://grnh.se/1f9e9cdf1us> |
https://www.linkedin.com/in/stefan-pingel//