[
https://issues.apache.org/jira/browse/DIRMINA-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17889613#comment-17889613
]
Emmanuel Lécharny commented on DIRMINA-1182:
--------------------------------------------
Hi [~yuanhuahan]
FTR, I have tried to update Sping, but there are a few road blocks.
The mina-integration-xbeans module is likely to be easier, because it only use
a couple of Spring classes.
What I did was to modify the main {{pom.xml}} file, adding this:
{code:xml}
<version.springbeans>5.3.39</version.springbeans>
...
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>${version.springbeans}</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${version.springbeans}</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
</exclusions>
</dependency>
...
{code}
The thing is that we can't use the latest version of {{spring-beans}} because
it does not build with Java 11.
Also two dependencies are required: {{spring-beans}} and {{spring-context}}.
The {{mina-integration-xbean/pom.xml}} file must be updated with :
{code:xml}
diff --git a/mina-integration-xbean/pom.xml b/mina-integration-xbean/pom.xml
index b810a83c4..217747b8a 100644
--- a/mina-integration-xbean/pom.xml
+++ b/mina-integration-xbean/pom.xml
@@ -63,7 +63,12 @@
<dependency>
<groupId>org.springframework</groupId>
- <artifactId>spring</artifactId>
+ <artifactId>spring-beans</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-context</artifactId>
</dependency>
{code}
It refers to the2 dependencies declared in the parent pom.
Now, those changes won't be enough for the {{mina-example}}, as it seems the
{{mina-example/src/main/resources/org/apache/mina/example/chat/serverContext.xml}}
Spring configuration file format requires some changes. This is what need to
be fixed, I think.
> Is there any plan to fix the dependent vulnerabilities of Spring Framework
> 2.5.6.SEC03?
> ---------------------------------------------------------------------------------------
>
> Key: DIRMINA-1182
> URL: https://issues.apache.org/jira/browse/DIRMINA-1182
> Project: MINA
> Issue Type: Wish
> Affects Versions: 2.2.3, 2.1.8
> Reporter: Yuanhua Han
> Priority: Major
> Attachments: image-2024-10-08-22-47-47-371.png,
> image-2024-10-08-22-49-52-441.png, image-2024-10-08-22-54-11-235.png
>
>
> Hello, we found that Apache MINA 2.2.3 and 2.1.8 both depends on spring
> 2.5.6.SEC03(corresponding to Spring Framework software), which is a very old
> version (released on Sep 09, 2011) and has been EOL and also can not find
> source code package.
> It seems that spring 2.5.6.SEC03 have some vulnerabilities(this artifact was
> moved to spring-core and spring-core 2.5.6.SEC03 have vulnerabilities).
> [https://mvnrepository.com/artifact/org.springframework/spring]
> !image-2024-10-08-22-47-47-371.png!
> [https://mvnrepository.com/artifact/org.springframework/spring-core/2.5.6.SEC03]
> !image-2024-10-08-22-54-11-235.png!
> Does these vulnerability affect Apache MINA? If yes, can I ask if there are
> any plans of Apache MINA community to adapt to the new version of Spring
> Framework to fix these vulnerabilities?
> Thanks.
> The detailed dependencies are as follows:
> mina-integration-xbean 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
> mina-example 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
