Security fixes for contracts using Solidity v0.7?

[lavalamp-]

🧐 Motivation

Hi there! I'm currently trying to address some security vulnerabilities in a repository that uses the contracts library. Unfortunately the codebase in question requires Solidity version 0.7 and the guidance on how to address the contracts vulnerabilities is that I should update to [email protected] which in turn requires Solidity version 0.8.

📝 Details

Is there any interest in porting fixes for the following vulnerabilities to a contracts release that targets Solidity version 0.7? I would happily take the work on myself and open a PR if someone could point me in the direction of the relevant security fix commits.

• https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTS-2320176
• https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTS-2965798
• https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTS-2980279

[frangio]

Hi @lavalamp-, as per our security policy we only commit to backporting critical security fixes, which none of these qualify as.

Is the codebase in question actually affected by any of these issues? Feel free to share it if you need help making that assessment. (You can also share it privately to our security contact displayed in the policy link above.)

For the record the respective advisories we've published for these issues are:

• https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hx
• https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-7grf-83vw-6f5x
• https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4h98-2769-gh6h

[frangio]

Closing due to inactivity.