Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

minio 8.5.7 fixing security vulnerabilities

Description

Upgrade minio from 8.5.4 to 8.5.7.

The minio upgrade indirectly upgrades these vulnerable dependencies:

snappy-java from 1.1.10.1 to 1.1.10.5 fixing https://nvd.nist.gov/vuln/detail/CVE-2023-43642 Allocation of Resources Without Limits or Throttling

okio/okio-jvm from 3.2.0 to 3.6.0 fixing https://nvd.nist.gov/vuln/detail/CVE-2023-3635 Denial of Service (DoS)

commons-compress from 1.23.0 to 1.24.0 fixing https://nvd.nist.gov/vuln/detail/CVE-2023-42503 Improper Input Validation

from bcprov-jdk15on 1.70 to bcprov-jdk18on 1.76 fixing https://nvd.nist.gov/vuln/detail/CVE-2023-33202 Uncontrolled Resource Consumption ('Resource Exhaustion') and https://nvd.nist.gov/vuln/detail/CVE-2023-33201 Information Exposure

kotlin-stdlib from 1.6.20 to 1.8.21 fixing https://nvd.nist.gov/vuln/detail/CVE-2020-29582 Information Exposure

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Attachments

2

Checklist

hide

TestRail: Results

Activity

Show:

Magda Zacharska March 7, 2024 at 10:06 PM

I’m changing the release to Quesnelia - if this needs to be included in a Poppy CSP we can clone the ticket and assign proper release.

Craig McNally March 7, 2024 at 4:32 PM

yes, we want to get this into Quesnelia. Once we have approval for inclusion into a Poppy CSP we will update the relevant fields here.

Magda Zacharska March 4, 2024 at 7:35 PM
Edited

is it still considered for Poppy Service Patch or should we include it in the Quesnelia release? If the former, could the security team provide reasons for this release and update the label to “security-reviewed”?

Tatsiana Hryhoryeva March 4, 2024 at 3:41 PM

Hi ,

The jobs with large number of records were executed on https://folio-testing-sprint-fs09000000.ci.folio.org/ environment:

Bulk edit

 

Data export

Files have been uploaded, jobs executed as expected. Some failed jobs in “Bulk edit“ were done in Edge browser

Mikita Siadykh February 16, 2024 at 10:29 AM

hi

So, for now, it would be helpful if the folio-s3-client library was updated (PR reviewed, merged, and a new version of the client released)

for library release we need CSP approval as well, team will do review and testing (we don’t fully trust minio semver and want to test it properly as we had cases when patch upgrade introduced OOM issue)

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Firebird

Fix versions

Release

Quesnelia (R1 2024)

RCA Group

Related dependency upgrade

Affected releases

Poppy (R2 2023)

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created January 31, 2024 at 3:08 PM
Updated March 12, 2024 at 7:17 PM
Resolved March 12, 2024 at 7:17 PM
TestRail: Cases
TestRail: Runs