00felix opened a new pull request, #143:
URL: https://github.com/apache/johnzon/pull/143

   the 3 verified upgrades:
   
   1. This pull request upgrades the com.google.guava:guava dependency from 
version 25.1-android to 33.6.0-jre to address two known security 
vulnerabilities.
   
   Vulnerabilities resolved:
   
   https://github.com/advisories/GHSA-7g45-4rm6-3mm3 – Guava’s 
Files.createTempDir() and similar methods create temporary directories with 
insecure permissions, potentially allowing local privilege escalation or 
information disclosure.
   https://github.com/advisories/GHSA-5mg8-w23w-74h3 – Guava’s CompoundOrdering 
class can leak internal state via its toString() method, exposing sensitive 
information.
   Upgrading to the latest JRE flavor ensures these issues are fixed while also 
bringing in other stability and compatibility improvements. No code changes are 
required – the dependency version is updated in the build configuration only, 
and the existing API usage remains compatible.
   
   2. This pull request upgrades the commons-io:commons-io dependency from 
version 2.5 to version 20030203.000550 to address two security vulnerabilities:
   
   https://github.com/advisories/GHSA-78wr-2p64-hpwj: A possible denial of 
service attack via untrusted input to XmlStreamReader.
   https://github.com/advisories/GHSA-gwrp-pvrq-jmwv: Path traversal and 
improper input validation vulnerabilities.
   No code changes are required; the dependency version update itself resolves 
these issues.
   
   3. This pull request upgrades the junit:junit dependency from version 4.12 
to 4.13.2.
   
   Why this upgrade matters:
   Version 4.13.2 includes a security fix for 
https://github.com/advisories/GHSA-269g-pwp5-87pp, a vulnerability in the 
TemporaryFolder rule on Unix‑like systems. In affected versions, files and 
directories created by TemporaryFolder do not have their permissions 
restricted, which could allow other local users to read or modify temporary 
test data. The fix ensures that created temporary files are only accessible by 
the owner.
   
   Code changes:
   No code changes are required. The upgrade is a direct version bump that 
applies the patched dependency. All existing test behavior remains unchanged.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to