You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2023/04/11 22:34:00 UTC
[jira] [Commented] (GUACAMOLE-1768) Docker - Guacamole Vulnerability Updates
[ https://issues.apache.org/jira/browse/GUACAMOLE-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711134#comment-17711134 ]
Mike Jumper commented on GUACAMOLE-1768:
----------------------------------------
[~kintaroju], if you have specific concerns, including anything noted above, please contact us privately via the security@guacamole.apache.org list. The public JIRA is not the place for security questions.
See: https://guacamole.apache.org/security/
As for dependency updates:
* Updates to webapp or extension dependencies are made through changes to the relevant {{pom.xml}} as part of a release. We routinely update dependencies to their latest compatible versions as part of each release cycle. Except in exceptional circumstances, we rely on third-party libraries to update their own transitive dependencies through their own release processes rather than override them ourselves and risk breakage.
* Updates to system libraries and dependencies are made via the user's OS. In the case of the Docker images, there is a nightly rebuild process to pull in any updates from the base images.
The latest webapp dependency update was GUACAMOLE-1763 for the 1.5.1 release that is currently underway.
> Docker - Guacamole Vulnerability Updates
> ----------------------------------------
>
> Key: GUACAMOLE-1768
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1768
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacd-docker
> Affects Versions: 1.5.0
> Reporter: Jonathan Kwan
> Priority: Major
>
> Hi,
>
> I was doing a synk vulnerability scan with "docker scan" to see what vulnerabilities were in the docker image. I saw the below, and was inquiring how the docker components get updated from a vulnerability perspective?
>
> Issues to fix by upgrading:
> Upgrade com.fasterxml.woodstox:woodstox-core@5.2.1 to com.fasterxml.woodstox:woodstox-core@5.4.0 to fix
> ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135] in com.fasterxml.woodstox:woodstox-core@5.2.1
> introduced by com.fasterxml.woodstox:woodstox-core@5.2.1
> ✗ XML External Entity (XXE) Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754] in com.fasterxml.woodstox:woodstox-core@5.2.1
> introduced by com.fasterxml.woodstox:woodstox-core@5.2.1
>
> The above is from the latest guacamole docker image. For guacd, there wasn't anything shown at the moment.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)