fix CVE-2024-7254

[alanlvle]

• If this pull request closes/resolves/fixes an existing issue, replace the issue number. Closes #.
• Update the CHANGES log.

[wu-sheng]

I think somehow the compiling is broken by this. Could you try compiling locally and fix?

[wu-sheng]

Maybe, you don't bump up protobuf-maven-plugin.version accordingly. They should be aligned.

[alanlvle]

I try do it

[alanlvle]

protobuf-maven-plugin.version is old.how to get new protobuf-maven-plugin version aligned to protobuf-java

[wu-sheng]

protobuf-java should have documents mentioned that.

[lujiajing1126]

I suppose grpc-java version should be compatible with the upgraded protobuf-java

[alanlvle]

com.google.protobuf:protobuf-java is only used in java-agent-network,so,only update com.google.protobuf:protobuf-java in java-agent-network

[wu-sheng]

Why don't update the gRPC accordingly? I think taking the risk of incompatible grpc and protobuf version are not a good idea.

[alanlvle]

io.grpc:grpc-protobuf last version 1.68.0 not fix CVE-2024-7254.so,only update com.google.protobuf:protobuf-java to 3.25.5

[wu-sheng]

I think we can wait. We don't have plans to release the next Java agent soon. Not much changed.

[alanlvle]

OK

[lujiajing1126]

io.grpc:grpc-protobuf last version 1.68.0 not fix CVE-2024-7254.so,only update com.google.protobuf:protobuf-java to 3.25.5

https://repo1.maven.org/maven2/io/grpc/grpc-protobuf/1.68.0/grpc-protobuf-1.68.0.pom

grpc-protobuf 1.68.0 already uses protobuf-java 3.25.3. I think patch version bump will not break the compatibility.

See the comment here grpc/grpc-java#11542 (comment)

Also, the upstream PR grpc/grpc-java#11543 shows nothing change except version number.

[wu-sheng]

No update. Please reopen when you are ready.