Closed gord0b closed 2 years ago
Hi team, i see v1.4.0 was recently released but didn't include a fix for this vulnerability. Pls advise @NoahZinsmeister - thx
We are not affected by the bug in that version since it affects only the TimelockController contract which is not used in this repo
We are not affected by the bug in that version since it affects only the TimelockController contract which is not used in this repo
Thanks for the reply, the vulnerable dependency is listed in package.json. If not utilized update or remove?
https://github.com/Uniswap/v3-periphery/blob/main/package.json. "dependencies": { "@openzeppelin/contracts": "3.4.1-solc-0.7-2",
We use other code in the dependency, just not the code with the bug. Might still be worth updating just because others might depend on periphery and then import the vulnerable OZ contract from the OZ dependency of v3-periphery, but it's not urgent (dependent contracts should use their own version of OZ)
Patched version 3.4.2-solc-0.7 to fix critical vulnerability not included in latest version: https://github.com/Uniswap/v3-periphery/blob/main/package.json: Current version in package.json of "version": "1.3.0", is, "dependencies": { "@openzeppelin/contracts": "3.4.1-solc-0.7-2",
INFO: CVE-2021-39167 INFO: https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-fg47-3c2x-m2wr