You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2023/04/11 22:34:00 UTC

[jira] [Commented] (GUACAMOLE-1768) Docker - Guacamole Vulnerability Updates

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711134#comment-17711134 ] 

Mike Jumper commented on GUACAMOLE-1768:
----------------------------------------

[~kintaroju], if you have specific concerns, including anything noted above, please contact us privately via the security@guacamole.apache.org list. The public JIRA is not the place for security questions.

See: https://guacamole.apache.org/security/

As for dependency updates:

* Updates to webapp or extension dependencies are made through changes to the relevant {{pom.xml}} as part of a release. We routinely update dependencies to their latest compatible versions as part of each release cycle. Except in exceptional circumstances, we rely on third-party libraries to update their own transitive dependencies through their own release processes rather than override them ourselves and risk breakage.
* Updates to system libraries and dependencies are made via the user's OS. In the case of the Docker images, there is a nightly rebuild process to pull in any updates from the base images.

The latest webapp dependency update was GUACAMOLE-1763 for the 1.5.1 release that is currently underway.

> Docker - Guacamole Vulnerability Updates
> ----------------------------------------
>
>                 Key: GUACAMOLE-1768
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1768
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole, guacd-docker
>    Affects Versions: 1.5.0
>            Reporter: Jonathan Kwan
>            Priority: Major
>
> Hi,
>  
> I was doing a synk vulnerability scan with "docker scan" to see what vulnerabilities were in the docker image. I saw the below, and was inquiring how the docker components get updated from a vulnerability perspective?
>  
> Issues to fix by upgrading:
>   Upgrade com.fasterxml.woodstox:woodstox-core@5.2.1 to com.fasterxml.woodstox:woodstox-core@5.4.0 to fix
>   ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135] in com.fasterxml.woodstox:woodstox-core@5.2.1
>     introduced by com.fasterxml.woodstox:woodstox-core@5.2.1
>   ✗ XML External Entity (XXE) Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754] in com.fasterxml.woodstox:woodstox-core@5.2.1
>     introduced by com.fasterxml.woodstox:woodstox-core@5.2.1
>  
> The above is from the latest guacamole docker image. For guacd, there wasn't anything shown at the moment.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)