[
https://issues.apache.org/jira/browse/DIRMINA-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yuanhua Han updated DIRMINA-1182:
---------------------------------
Description:
Hello, we found that Apache MINA 2.2.3 and 2.1.8 both depends on spring
2.5.6.SEC03(corresponding to Spring Framework software), which is a very old
version (released on Sep 09, 2011) and has been EOL and also can not find
source code package.
It seems that spring 2.5.6.SEC03 have some vulnerabilities(this artifact was
moved to spring-core and spring-core 2.5.6.SEC03 have vulnerabilities).
[https://mvnrepository.com/artifact/org.springframework/spring]
!image-2024-10-08-22-47-47-371.png!
[https://mvnrepository.com/artifact/org.springframework/spring-core/2.5.6.SEC03]
!image-2024-10-08-22-54-11-235.png!
Does these vulnerability affect Apache MINA? If yes, can I ask if there are any
plans of Apache MINA community to adapt to the new version of Spring Framework
to fix these vulnerabilities?
Thanks.
The detailed dependencies are as follows:
mina-integration-xbean 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
mina-example 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
was:
Hello, we found that Apache MINA 2.2.3 and 2.1.8 both depends on spring
2.5.6.SEC03(corresponding to Spring Framework software), which is a very old
version (released on Sep 09, 2011) and has been EOL-ed.
It seems that spring 2.5.6.SEC03 have some vulnerabilities(this artifact was
moved to spring-core and spring-core 2.5.6.SEC03 have vulnerabilities).
https://mvnrepository.com/artifact/org.springframework/spring
!image-2024-10-08-22-47-47-371.png!
https://mvnrepository.com/artifact/org.springframework/spring-core/2.5.6.SEC03
!image-2024-10-08-22-54-11-235.png!
Does these vulnerability affect Apache MINA? If yes, can I ask if there are any
plans of Apache MINA community to adapt to the new version of Spring Framework
to fix these vulnerabilities?
Thanks.
The detailed dependencies are as follows:
mina-integration-xbean 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
mina-example 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
> Is there any plan to fix the dependent vulnerabilities of Spring Framework
> 2.5.6.SEC03?
> ---------------------------------------------------------------------------------------
>
> Key: DIRMINA-1182
> URL: https://issues.apache.org/jira/browse/DIRMINA-1182
> Project: MINA
> Issue Type: Wish
> Affects Versions: 2.2.3, 2.1.8
> Reporter: Yuanhua Han
> Priority: Major
> Attachments: image-2024-10-08-22-47-47-371.png,
> image-2024-10-08-22-49-52-441.png, image-2024-10-08-22-54-11-235.png
>
>
> Hello, we found that Apache MINA 2.2.3 and 2.1.8 both depends on spring
> 2.5.6.SEC03(corresponding to Spring Framework software), which is a very old
> version (released on Sep 09, 2011) and has been EOL and also can not find
> source code package.
> It seems that spring 2.5.6.SEC03 have some vulnerabilities(this artifact was
> moved to spring-core and spring-core 2.5.6.SEC03 have vulnerabilities).
> [https://mvnrepository.com/artifact/org.springframework/spring]
> !image-2024-10-08-22-47-47-371.png!
> [https://mvnrepository.com/artifact/org.springframework/spring-core/2.5.6.SEC03]
> !image-2024-10-08-22-54-11-235.png!
> Does these vulnerability affect Apache MINA? If yes, can I ask if there are
> any plans of Apache MINA community to adapt to the new version of Spring
> Framework to fix these vulnerabilities?
> Thanks.
> The detailed dependencies are as follows:
> mina-integration-xbean 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
> mina-example 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
