Add fix for CVE-2024-7254 (#8647)

StefanBratanov · web-flow · commit b91c43237fe5 · 2024-09-26T16:26:42.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@
 - Renamed metrics `validator_attestation_publication_delay`,`validator_block_publication_delay` and `beacon_block_import_delay_counter` to include the suffix `_total` added by the current version of prometheus.
 - Updated bootnodes for Holesky network
 - Added new `--p2p-flood-publish-enabled` parameter to control whenever flood publishing behaviour is enabled (applies to all subnets). Previous teku versions always had this behaviour enabled. Default is `true`.
+- Add a fix for [CVE-2024-7254](https://avd.aquasec.com/nvd/2024/cve-2024-7254/)
 
 ### Bug Fixes
  - removed a warning from logs about non blinded blocks being requested (#8562)
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -32,7 +32,7 @@ dependencyManagement {
       entry 'javalin-rendering'
     }
 
-    dependency 'io.libp2p:jvm-libp2p:1.1.1-RELEASE'
+    dependency 'io.libp2p:jvm-libp2p:1.2.0-RELEASE'
     dependency 'tech.pegasys:jblst:0.3.12'
     dependency 'tech.pegasys:jc-kzg-4844:1.0.0'
 

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ dependencyManagement {`
`32`	`32`	`entry 'javalin-rendering'`
`33`	`33`	`}`
`34`	`34`
`35`		`- dependency 'io.libp2p:jvm-libp2p:1.1.1-RELEASE'`
	`35`	`+ dependency 'io.libp2p:jvm-libp2p:1.2.0-RELEASE'`
`36`	`36`	`dependency 'tech.pegasys:jblst:0.3.12'`
`37`	`37`	`dependency 'tech.pegasys:jc-kzg-4844:1.0.0'`
`38`	`38`