You could try
gradle.properties
log4j2.version=2.17.1
spring.version=5.2.20.RELEASE
spring.securitycas.version=5.2.15.RELEASE
build.gradle
def log4JVersion = project.'log4j2.version'
def springVersion = project.'spring.version'
def springSecurityCasVersion = project.'spring.securitycas.version'
dependencies {
....
// Override the log4J vulnerability, back-port
compile "org.apache.logging.log4j:log4j-api:${log4JVersion}"
compile "org.apache.logging.log4j:log4j-core:${log4JVersion}"
compile "org.apache.logging.log4j:log4j-jcl:${log4JVersion}"
compile "org.apache.logging.log4j:log4j-jul:${log4JVersion}"
compile "org.apache.logging.log4j:log4j-slf4j-impl:${log4JVersion}"
compile "org.apache.logging.log4j:log4j-web:${log4JVersion}"
compile "org.springframework:spring-aop:${springVersion}"
compile "org.springframework:spring-beans:${springVersion}"
compile "org.springframework:spring-context:${springVersion}"
compile "org.springframework:spring-context-support:${springVersion}"
compile "org.springframework:spring-core:${springVersion}"
compile "org.springframework:spring-expression:${springVersion}"
compile "org.springframework:spring-jcl:${springVersion}"
compile "org.springframework:spring-jdbc:${springVersion}"
compile "org.springframework:spring-jms:${springVersion}"
compile "org.springframework:spring-messaging:${springVersion}"
compile "org.springframework:spring-orm:${springVersion}"
compile "org.springframework:spring-oxm:${springVersion}"
compile
"org.springframework.security:spring-security-cas:${springSecurityCasVersion}"
compile
"org.springframework.security:spring-security-config:${springSecurityCasVersion}"
compile
"org.springframework.security:spring-security-core:${springSecurityCasVersion}"
compile
"org.springframework.security:spring-security-crypto:${springSecurityCasVersion}"
compile
"org.springframework.security:spring-security-web:${springSecurityCasVersion}"
compile "org.springframework:spring-tx:${springVersion}"
compile "org.springframework:spring-web:${springVersion}"
compile "org.springframework:spring-webmvc:${springVersion}"
.....
bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from
"org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
provided = false
excludes = ["WEB-INF/lib/log4j-*-2.12.1.jar",
"WEB-INF/lib/spring-*-5.2.0.RELEASE.jar"]
}
}
}
And heavy unit test...
Good luck
On Wednesday, April 6, 2022 at 10:55:58 PM UTC-4 Bert Bee-Lindgren wrote:
> [We're working on upgrading from (heavily backported-patched) CAS 6.1 to
> something supported by the OS project. In the meantime....]
>
> We know our CAS 6.1 system is using SpringFramework 5.2.0 but is not
> directly vulnerable to the CVE-2022-22965 (not deployed as a .war in
> Tomcat). Nevertheless, we would like to start testing a SpringFramework
> upgrade to avoid future ways of reaching the vulnerability.
>
> The normal way would be to change our SpringBoot dependency, but CAS6.1
> uses SB2.2.4 and moving it to SB2.5.12 seems like a BIG jump. The
> SpringFramework upgrade from 5.2.0 to 5.2.20 seems preferable given it
> stays within the 5.2 release.
>
> To try to accomplish a SpringFramework upgrade, we've tried
> "springVersion=5.2.20" in gradle.properties, but the resulting project
> still seemed to be using 5.2.0.
>
> Does anyone have advice on how to proceed?
> -Upgrade SpringBoot from 2.2.4 to 2.5.12 (easy to do, worried it isn't
> likely to work)
> -Upgrade SpringFramework from 5.2.0 --> 5.2.20 (we don't know how to do
> this)
> -Something else?
>
> Thank you,
> Bert Bee-Lindgren
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/562a8c28-a38e-4cc2-8a3f-6ede020198d9n%40apereo.org.
