Firebase-ios-sdk: FR: Update nanopb because of security finding

Created on 25 Mar 2020  路  4Comments  路  Source: firebase/firebase-ios-sdk

Feature proposal

  • Firebase Component: Core

In our project we use whitesources to find security issues in the code.
We got an security finding in the nanopb library in the newest firebase 6.21.0
https://nvd.nist.gov/vuln/detail/CVE-2020-5235

Could you please update to a nanopb version that fixed this security issue?

Thank you

analytics firestore feature request
Source
picture karlkaminski
👍3

Most helpful comment

Now that #4312 has landed, I'm going to pick up the nanopb update project again and try to get it into the next release.

picture paulb777 on 23 Apr 2020
👍2

All 4 comments

@karlkaminski Thanks for the report. Our nanopb migration is currently pending migrating the Firestore gRPC dependency from a nanopb-dependent version. See #4312.

Once that happens, we'll move the Firebase nanopb version forward.

paulb777 picture paulb777 on 25 Mar 2020

@paulb777 What is approximate estimation for merging #4312?
We also use WhiteSource and saw the issue with the nanopb.

tereznikov picture tereznikov on 7 Apr 2020

@tereznikov We don't make commitments about future releases, but will work on the nanopb update in the next month or two."

paulb777 picture paulb777 on 7 Apr 2020
👍1

Now that #4312 has landed, I'm going to pick up the nanopb update project again and try to get it into the next release.

paulb777 picture paulb777 on 23 Apr 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pot8os picture pot8os  路  4Comments
ManuelRiegler picture ManuelRiegler  路  3Comments
lorenzofiamingo picture lorenzofiamingo  路  3Comments
WillLewis picture WillLewis  路  4Comments
paulharter picture paulharter  路  3Comments