[jira] [Commented] (GUACAMOLE-1806) Update Java dependencies to patched versions
[ https://issues.apache.org/jira/browse/GUACAMOLE-1806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17731225#comment-17731225 ] Mike Jumper commented on GUACAMOLE-1806: I have no objection to migrating to a different library. > Update Java dependencies to patched versions > > > Key: GUACAMOLE-1806 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-1806 > Project: Guacamole > Issue Type: Task > Components: guacamole >Reporter: Markus * >Priority: Minor > > These changes should address the following (potentially relevant) > vulnerabilities: > * [CVE-2022-21724|https://github.com/advisories/GHSA-v7wg-cpwc-24m4] > * [CVE-2022-26520|https://github.com/advisories/GHSA-727h-hrw8-jg8q] > * [CVE-2022-31197|https://github.com/advisories/GHSA-r38f-c4h4-hqq2] > * [CVE-2022-40151|https://github.com/advisories/GHSA-f8cc-g7j8-xxpm] > * [CVE-2022-40152|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4] > * [CVE-2022-41946|https://github.com/advisories/GHSA-562r-vg33-8x8h] > * [CVE-2023-20861|https://github.com/advisories/GHSA-564r-hj7v-mcr5] > * [CVE-2023-20862|https://github.com/advisories/GHSA-x873-6rgc-94jc] > * [CVE-2023-20863|https://github.com/advisories/GHSA-wxqc-pxw9-g2p8] > * [GHSA-673j-qm5f-xpv8|https://github.com/advisories/GHSA-673j-qm5f-xpv8] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (GUACAMOLE-1806) Update Java dependencies to patched versions
[ https://issues.apache.org/jira/browse/GUACAMOLE-1806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17731206#comment-17731206 ] Markus * commented on GUACAMOLE-1806: - ??If you want to give updating to 6.x a try, that should be OK as long as it's compatible with Java 8.?? It seems that Spring Security 6.0 requires Java 17. (see [here|https://github.com/spring-projects/spring-security#spring-security]) This probably means that the use of Spring is a dead-end as no (potential) future vulnerabilities could be addressed by just updating this dependency. What are your thoughts on using another library (e.g. Apache Commons Net) instead? > Update Java dependencies to patched versions > > > Key: GUACAMOLE-1806 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-1806 > Project: Guacamole > Issue Type: Task > Components: guacamole >Reporter: Markus * >Priority: Minor > > These changes should address the following (potentially relevant) > vulnerabilities: > * [CVE-2022-21724|https://github.com/advisories/GHSA-v7wg-cpwc-24m4] > * [CVE-2022-26520|https://github.com/advisories/GHSA-727h-hrw8-jg8q] > * [CVE-2022-31197|https://github.com/advisories/GHSA-r38f-c4h4-hqq2] > * [CVE-2022-40151|https://github.com/advisories/GHSA-f8cc-g7j8-xxpm] > * [CVE-2022-40152|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4] > * [CVE-2022-41946|https://github.com/advisories/GHSA-562r-vg33-8x8h] > * [CVE-2023-20861|https://github.com/advisories/GHSA-564r-hj7v-mcr5] > * [CVE-2023-20862|https://github.com/advisories/GHSA-x873-6rgc-94jc] > * [CVE-2023-20863|https://github.com/advisories/GHSA-wxqc-pxw9-g2p8] > * [GHSA-673j-qm5f-xpv8|https://github.com/advisories/GHSA-673j-qm5f-xpv8] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (GUACAMOLE-1806) Update Java dependencies to patched versions
[ https://issues.apache.org/jira/browse/GUACAMOLE-1806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17731100#comment-17731100 ] Mike Jumper commented on GUACAMOLE-1806: According to https://nvd.nist.gov/vuln/detail/CVE-2016-127, that applies only to "Pivotal Spring Framework through 5.3.16". If you want to give updating to 6.x a try, that should be OK as long as it's compatible with Java 8. The usage of Spring is very minimal - just an IP address matcher: https://github.com/apache/guacamole-client/blob/466476412a8a93440bea1121f374e17021380f25/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/RequestValidationService.java#L29 As for Bouncy Castle, as you note, there's no such release available in Maven Central, nor is the interim workaround release FIPS-certified (that may be why it's not in Maven). I'd be very on the fence about switching to a non-certified version. > Update Java dependencies to patched versions > > > Key: GUACAMOLE-1806 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-1806 > Project: Guacamole > Issue Type: Task > Components: guacamole >Reporter: Markus * >Priority: Minor > > These changes should address the following (potentially relevant) > vulnerabilities: > * [CVE-2022-21724|https://github.com/advisories/GHSA-v7wg-cpwc-24m4] > * [CVE-2022-26520|https://github.com/advisories/GHSA-727h-hrw8-jg8q] > * [CVE-2022-31197|https://github.com/advisories/GHSA-r38f-c4h4-hqq2] > * [CVE-2022-40151|https://github.com/advisories/GHSA-f8cc-g7j8-xxpm] > * [CVE-2022-40152|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4] > * [CVE-2022-41946|https://github.com/advisories/GHSA-562r-vg33-8x8h] > * [CVE-2023-20861|https://github.com/advisories/GHSA-564r-hj7v-mcr5] > * [CVE-2023-20862|https://github.com/advisories/GHSA-x873-6rgc-94jc] > * [CVE-2023-20863|https://github.com/advisories/GHSA-wxqc-pxw9-g2p8] > * [GHSA-673j-qm5f-xpv8|https://github.com/advisories/GHSA-673j-qm5f-xpv8] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (GUACAMOLE-1806) Update Java dependencies to patched versions
[ https://issues.apache.org/jira/browse/GUACAMOLE-1806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17731099#comment-17731099 ] Markus * commented on GUACAMOLE-1806: - Trivy also noticed two more vulnerabilities: * CVE-2016-127 * CVE-2022-45146 In order to get rid of the first one, a major version update of org.springframework:spring-web would become necessary. As far as I can tell, this would need more than just to bump version numbers. (see [here|https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-6.x#upgrading-to-version-60]) The second one concerns org.bouncycastle:bc-fips. It seems to have been fixed. (see [here|https://www.bouncycastle.org/latest_releases.html]) However, the published release is still labeled a release candidate. It is also missing in the Maven Repository. (see [here|https://mvnrepository.com/artifact/org.bouncycastle/bc-fips]) > Update Java dependencies to patched versions > > > Key: GUACAMOLE-1806 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-1806 > Project: Guacamole > Issue Type: Task > Components: guacamole >Reporter: Markus * >Priority: Minor > > These changes should address the following (potentially relevant) > vulnerabilities: > * [CVE-2022-21724|https://github.com/advisories/GHSA-v7wg-cpwc-24m4] > * [CVE-2022-26520|https://github.com/advisories/GHSA-727h-hrw8-jg8q] > * [CVE-2022-31197|https://github.com/advisories/GHSA-r38f-c4h4-hqq2] > * [CVE-2022-40151|https://github.com/advisories/GHSA-f8cc-g7j8-xxpm] > * [CVE-2022-40152|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4] > * [CVE-2022-41946|https://github.com/advisories/GHSA-562r-vg33-8x8h] > * [CVE-2023-20861|https://github.com/advisories/GHSA-564r-hj7v-mcr5] > * [CVE-2023-20862|https://github.com/advisories/GHSA-x873-6rgc-94jc] > * [CVE-2023-20863|https://github.com/advisories/GHSA-wxqc-pxw9-g2p8] > * [GHSA-673j-qm5f-xpv8|https://github.com/advisories/GHSA-673j-qm5f-xpv8] -- This message was sent by Atlassian Jira (v8.20.10#820010)
