Fix code scanning alert - libexpat: Negative Length Parsing Vulnerability in libexpat - Githubissues

world-federation-of-advertisers / cross-media-measurement

A privacy centric system for cross publisher, cross media ads measurement through secure multiparty computations.

https://halo.wfanet.org/

Apache License 2.0

36 stars 11 forks source link

Fix code scanning alert - libexpat: Negative Length Parsing Vulnerability in libexpat #1812

Closed SanjayVas closed 1 month ago

SanjayVas commented 1 month ago

Vulnerability CVE-2024-45490

[ ] https://github.com/world-federation-of-advertisers/common-jvm/pull/279
[ ] #1829

Tracking issue for:

SanjayVas commented 1 month ago

Not yet fixed in upstream Debian Bookworm. See https://security-tracker.debian.org/tracker/CVE-2024-45490

SanjayVas commented 1 month ago

Looks like bookworm (security) has the fixed version now, which means it should be picked up by upstream distroless soon.

SanjayVas commented 1 month ago

Appears to be fixed in latest gcr.io/distroless/java17-debian12:nonroot (sha256:2db4acff2603088acaf67dac414462c9fcc3e2cc3ff9a642d5af9c7cff2b5fe9)