gord0b
commented
2 years ago Hi team, i see v1.4.0 was recently released but didn't include a fix for this vulnerability. Pls advise @NoahZinsmeister - thx
Closed gord0b closed 2 years ago
gord0b
commented
2 years ago Hi team, i see v1.4.0 was recently released but didn't include a fix for this vulnerability. Pls advise @NoahZinsmeister - thx
moodysalem
commented
2 years ago We are not affected by the bug in that version since it affects only the TimelockController contract which is not used in this repo
gord0b
commented
2 years ago We are not affected by the bug in that version since it affects only the TimelockController contract which is not used in this repo
Thanks for the reply, the vulnerable dependency is listed in package.json. If not utilized update or remove?
https://github.com/Uniswap/v3-periphery/blob/main/package.json. "dependencies": { "@openzeppelin/contracts": "3.4.1-solc-0.7-2",
moodysalem
commented
2 years ago We use other code in the dependency, just not the code with the bug. Might still be worth updating just because others might depend on periphery and then import the vulnerable OZ contract from the OZ dependency of v3-periphery, but it's not urgent (dependent contracts should use their own version of OZ)
Patched version 3.4.2-solc-0.7 to fix critical vulnerability not included in latest version: https://github.com/Uniswap/v3-periphery/blob/main/package.json: Current version in package.json of "version": "1.3.0", is, "dependencies": { "@openzeppelin/contracts": "3.4.1-solc-0.7-2",
INFO: CVE-2021-39167 INFO: https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-fg47-3c2x-m2wr