Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Spring Boot 3.1.5, okio-jvm 3.4.0

Description

Upgrade Spring Boot from 3.1.2 to 3.1.5. This indirectly upgrades tomcat-embed-core from 10.1.11 to 10.1.15 fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Upgrade okio-jvm from 3.0.0 to 3.4.0 fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-3635

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Emma_Haroyan November 9, 2023 at 12:41 PM

I did some general testing on int env, all seems to be good.

Matt Weaver November 8, 2023 at 6:58 PM
Edited

I went ahead and released 1.0.1 with this change, since it's a security thing and we want to make sure we don't go to Poppy with out it. That said, we should still go through QA on it, to be safe; if there's something wrong, we'll just have to do another patch release. The only real QA for this one is basic smoke testing and making sure it still works

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Corsair

Parent

Fix versions

Release

Poppy (R2 2023) Bug Fix

RCA Group

Related dependency upgrade

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created November 8, 2023 at 11:13 AM
Updated November 20, 2023 at 2:06 PM
Resolved November 9, 2023 at 2:32 PM
TestRail: Cases
TestRail: Runs