Re: Security Vulnerabilities with GWT

2022-10-26 Thread 'Ben Shapiro' via GWT Users 
I know that this conversation is about 2 years old.  We upgraded to GWT 
2.10 in hopes that it would resolve the following vulnerabilities with 
protobuf-java, they are all being reports in the gwt-servlet.jar (version 
2.10.0):
https://nvd.nist.gov/vuln/detail/CVE-2022-3171
https://www.cve.org/CVERecord?id=CVE-2015-5237
https://github.com/advisories/GHSA-wrvw-hg22-4m67
https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
https://nvd.nist.gov/vuln/detail/CVE-2021-22569

These are all being reported in our project by the AWS Enhanced Scanning.  
It there any way to upgrade Protobuf from 2.5.0 to the latest version of 
3.21.8?

Thanks in advance.
Ben

On Tuesday, June 30, 2020 at 4:16:01 AM UTC-6 priyako...@gmail.com wrote:

> Thank you very much for quick responses.
> Here are Vulnerabilities listed -
>
>
> Gwt-dev.jar -
> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
> available version -9.2.27+ ) 
> [Associated CVEs -  
> CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536]
> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)  [ 
> CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
> version - 4.3.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0) [CVE-2015-5237]
> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
> version- 2.37) [CVE-2020-5529]
>
> Gwt-servlet.jar -
> 1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0) [CVE-2015-5237]
>
>
> On Monday, 29 June 2020 16:27:41 UTC+5:30, Priya Kolekar wrote:
>>
>>
>> Hi All,
>>
>> Security Vulnerability have been detected in gwt-dev.jar & 
>> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker 
>> tool .
>>
>> Below are the details -
>>
>> Gwt-dev.jar -
>> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
>> available version -9.2.27+ )
>> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
>> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
>> version - 4.3.1)
>> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
>> available version - 3.4.0)
>> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
>> version- 2.37)
>>
>> Gwt-servlet.jar -
>> 1.1 Vulnerable version of Google Protobuf(current version - 
>> 2.5.0, available version - 3.4.0)
>>
>> Given above vulnerabilities -
>> 1. Are those security issues addressed in latest 2.9.0 release?
>> 2. If no, is there a plan to include them in any future release say 3.x?
>> 3. As we know that gwt-dev.jar is used for development purpose & can be 
>> flagged as false positive, still are there any attack surfaces exists?
>>
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/5ee8893c-b867-4457-87f9-0e68f1fcc26dn%40googlegroups.com.

Re: Install GWT plugin for Firefox26

2022-06-28 Thread 'Ben Shapiro' via GWT Users 
We have the gwt-dev-plugin-1.26-rc1.xpi plugin here in our office. I am 
happy to give you a copy if you want.  Then you can manually install it on 
your old version of Firefox.

You can reach me at bshapiro @ qvera.com.

Thanks.

On Friday, June 24, 2022 at 3:29:44 AM UTC-6 dis0...@gmail.com wrote:

> I maintain the (old) application with the GWT part. To run the system 
> locally (bugs fixing or minor code changes) I need the FF26 - and the GWT 
> plugin.
> Each time I have to setup my machine for the task, I install the FF26 and 
> the GWT plugin. No problems in the past. But this year I get the error 
> while doing it:
>
> Secure Connection Failed
> An error occurred during a connection to www.gwtproject.org. Cannot 
> communicate securely with peer: no common encryption algorithm(s). (Error 
> code: ssl_error_no_cypher_overlap) 
>
> How can I install the GWT plugin on my FF26 browser?
>
> Thanks!
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/7145216a-739c-4826-b424-424c750f8a83n%40googlegroups.com.