Security vulnerability in Folly (CVE-2019-11934) #27640
Labels
Comments
|
@Kudo could you please bump folly version if possible. Thanks |
|
For OSS RN we only use and compile partial folly implementations. Well, even we should be have the CVE problem, the folly is outdated for a while. |
This was referenced Jan 20, 2020
facebook-github-bot
pushed a commit
that referenced
this issue
Jan 21, 2020
Summary: Upgrade Folly to v2020.01.13.00. Fixes #27640 ## Changelog [iOS] [Changed] - Upgrade Folly to v2020.01.13.00 Pull Request resolved: #27810 Test Plan: Test by building and running RNTester Reviewed By: mdvacca Differential Revision: D19483115 Pulled By: fkgozali fbshipit-source-id: 4a85325a95b5f7857da75995d587218740d8b077
|
Thank you @Kudo 👍 |
osdnk
pushed a commit
to osdnk/react-native
that referenced
this issue
Mar 9, 2020
Summary: Upgrade Folly to v2020.01.13.00. Fixes facebook#27640 ## Changelog [Android] [Changed] - Upgrade Folly to v2020.01.13.00 Pull Request resolved: facebook#27811 Test Plan: Test by building and running RNTester: `./gradlew :RNTester:android:app:installJscDebug` `./gradlew :RNTester:android:app:installHermesDebug` And the native debug builds: `NATIVE_BUILD_TYPE=Debug ./gradlew :RNTester:android:app:installJscDebug` `NATIVE_BUILD_TYPE=Debug ./gradlew :RNTester:android:app:installHermesDebug` Reviewed By: mdvacca Differential Revision: D19474027 Pulled By: fkgozali fbshipit-source-id: 1c680dd80413b63aad66b587213de7499197177c
osdnk
pushed a commit
to osdnk/react-native
that referenced
this issue
Mar 9, 2020
Summary: Upgrade Folly to v2020.01.13.00. Fixes facebook#27640 ## Changelog [iOS] [Changed] - Upgrade Folly to v2020.01.13.00 Pull Request resolved: facebook#27810 Test Plan: Test by building and running RNTester Reviewed By: mdvacca Differential Revision: D19483115 Pulled By: fkgozali fbshipit-source-id: 4a85325a95b5f7857da75995d587218740d8b077
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
React Native is using an old, insecure version of Folly.
The current version of Folly in
masteris2018.10.22.00. This version has a "critical" security vulnerability CVE-2019-11934 related to SSL sockets.The latest version of Folly at the moment is
2019.12.30.00, where the above vulnerability has already been fixed, here.Could you please update Folly to a newer, patched version?
React Native version:
Steps To Reproduce
react-native init new_projectnew_project/node_modules/react-native/third-party-podspecs/Folly.podspecin a text editorspec.versionis2018.10.22.00As a consequence,
spec.sourcetells CocoaPods to pull Folly from tag v2018.10.22.00 which contains an unpatched version of Folly without the fix to CVE-2019-11934.Some additional info:
I noticed this when running dependency-check-cli against a React Native project.
The text was updated successfully, but these errors were encountered: