You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Markus * (Jira)" <ji...@apache.org> on 2023/06/09 21:35:00 UTC

[jira] [Commented] (GUACAMOLE-1806) Update Java dependencies to patched versions

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17731099#comment-17731099 ] 

Markus * commented on GUACAMOLE-1806:
-------------------------------------

Trivy also noticed two more vulnerabilities:
 * CVE-2016-1000027
 * CVE-2022-45146

In order to get rid of the first one, a major version update of org.springframework:spring-web would become necessary. As far as I can tell, this would need more than just to bump version numbers. (see [here|https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-6.x#upgrading-to-version-60])

The second one concerns org.bouncycastle:bc-fips. It seems to have been fixed. (see [here|https://www.bouncycastle.org/latest_releases.html]) However, the published release is still labeled a release candidate. It is also missing in the Maven Repository. (see [here|https://mvnrepository.com/artifact/org.bouncycastle/bc-fips])

> Update Java dependencies to patched versions
> --------------------------------------------
>
>                 Key: GUACAMOLE-1806
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1806
>             Project: Guacamole
>          Issue Type: Task
>          Components: guacamole
>            Reporter: Markus *
>            Priority: Minor
>
> These changes should address the following (potentially relevant) vulnerabilities:
>  * [CVE-2022-21724|https://github.com/advisories/GHSA-v7wg-cpwc-24m4]
>  * [CVE-2022-26520|https://github.com/advisories/GHSA-727h-hrw8-jg8q]
>  * [CVE-2022-31197|https://github.com/advisories/GHSA-r38f-c4h4-hqq2]
>  * [CVE-2022-40151|https://github.com/advisories/GHSA-f8cc-g7j8-xxpm]
>  * [CVE-2022-40152|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4]
>  * [CVE-2022-41946|https://github.com/advisories/GHSA-562r-vg33-8x8h]
>  * [CVE-2023-20861|https://github.com/advisories/GHSA-564r-hj7v-mcr5]
>  * [CVE-2023-20862|https://github.com/advisories/GHSA-x873-6rgc-94jc]
>  * [CVE-2023-20863|https://github.com/advisories/GHSA-wxqc-pxw9-g2p8]
>  * [GHSA-673j-qm5f-xpv8|https://github.com/advisories/GHSA-673j-qm5f-xpv8]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)