[
https://issues.apache.org/jira/browse/DIRMINA-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17893354#comment-17893354
]
Emmanuel Lécharny commented on DIRMINA-1182:
--------------------------------------------
[~keyboarddesirstroyer] I wasn't able to have MINA build with the PR, because
it required Java 17 as a target, so I had to slightly rework the PR.
The question about dropping support for Java 8 is not yet discussed, the point
being which minimal version should we support. If we embed Spring 6.x, then
it's Java 17. That leave Java 11 users out of the equation. Java8 is under
extended support until 2032, and some users are still using it.
I'd rather limit the scope of usage for Spring to the only modules that require
it at this point.
> Is there any plan to fix the dependent vulnerabilities of Spring Framework
> 2.5.6.SEC03?
> ---------------------------------------------------------------------------------------
>
> Key: DIRMINA-1182
> URL: https://issues.apache.org/jira/browse/DIRMINA-1182
> Project: MINA
> Issue Type: Wish
> Affects Versions: 2.2.3, 2.1.8
> Reporter: Yuanhua Han
> Priority: Major
> Fix For: 2.2.4, 2.0.27, 2.1.10
>
> Attachments: image-2024-10-08-22-47-47-371.png,
> image-2024-10-08-22-49-52-441.png, image-2024-10-08-22-54-11-235.png,
> image-2024-10-28-10-53-37-111.png, image-2024-10-28-10-54-19-751.png
>
>
> Hello, we found that Apache MINA 2.2.3 and 2.1.8 both depends on spring
> 2.5.6.SEC03(corresponding to Spring Framework software), which is a very old
> version (released on Sep 09, 2011) and has been EOL and also can not find
> source code package.
> It seems that spring 2.5.6.SEC03 have some vulnerabilities(this artifact was
> moved to spring-core and spring-core 2.5.6.SEC03 have vulnerabilities).
> [https://mvnrepository.com/artifact/org.springframework/spring]
> !image-2024-10-08-22-47-47-371.png!
> [https://mvnrepository.com/artifact/org.springframework/spring-core/2.5.6.SEC03]
> !image-2024-10-08-22-54-11-235.png!
> Does these vulnerability affect Apache MINA? If yes, can I ask if there are
> any plans of Apache MINA community to adapt to the new version of Spring
> Framework to fix these vulnerabilities?
> Thanks.
> The detailed dependencies are as follows:
> mina-integration-xbean 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
> mina-example 2.2.3/2.1.8 ---> spring 2.5.6.SEC03
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
