[jira] [Commented] (GUACAMOLE-1806) Update Java dependencies to patched versions

Fri, 09 Jun 2023 14:43:15 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17731100#comment-17731100
 ] 

Mike Jumper commented on GUACAMOLE-1806:
----------------------------------------

According to https://nvd.nist.gov/vuln/detail/CVE-2016-1000027, that applies 
only to "Pivotal Spring Framework through 5.3.16". If you want to give updating 
to 6.x a try, that should be OK as long as it's compatible with Java 8. The 
usage of Spring is very minimal - just an IP address matcher:

https://github.com/apache/guacamole-client/blob/466476412a8a93440bea1121f374e17021380f25/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/RequestValidationService.java#L29

As for Bouncy Castle, as you note, there's no such release available in Maven 
Central, nor is the interim workaround release FIPS-certified (that may be why 
it's not in Maven). I'd be very on the fence about switching to a non-certified 
version.

> Update Java dependencies to patched versions
> --------------------------------------------
>
>                 Key: GUACAMOLE-1806
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1806
>             Project: Guacamole
>          Issue Type: Task
>          Components: guacamole
>            Reporter: Markus *
>            Priority: Minor
>
> These changes should address the following (potentially relevant) 
> vulnerabilities:
>  * [CVE-2022-21724|https://github.com/advisories/GHSA-v7wg-cpwc-24m4]
>  * [CVE-2022-26520|https://github.com/advisories/GHSA-727h-hrw8-jg8q]
>  * [CVE-2022-31197|https://github.com/advisories/GHSA-r38f-c4h4-hqq2]
>  * [CVE-2022-40151|https://github.com/advisories/GHSA-f8cc-g7j8-xxpm]
>  * [CVE-2022-40152|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4]
>  * [CVE-2022-41946|https://github.com/advisories/GHSA-562r-vg33-8x8h]
>  * [CVE-2023-20861|https://github.com/advisories/GHSA-564r-hj7v-mcr5]
>  * [CVE-2023-20862|https://github.com/advisories/GHSA-x873-6rgc-94jc]
>  * [CVE-2023-20863|https://github.com/advisories/GHSA-wxqc-pxw9-g2p8]
>  * [GHSA-673j-qm5f-xpv8|https://github.com/advisories/GHSA-673j-qm5f-xpv8]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to