Spring 5.3, kafkaclients 3.2.3, folio-di-support 1.7.0
Description
CSP Request Details
None
CSP Rejection Details
None
Potential Workaround
None
blocks
defines
relates to
to be improved by
Checklist
hideTestRail: Results
Activity
Show:
Done
Details
Details
Assignee
Julian Ladisch
Julian LadischReporter
Julian Ladisch
Julian LadischPriority
P2Story Points
0
Sprint
None
Development Team
Folijet
Fix versions
Release
Nolana (R3 2022) Bug Fix
RCA Group
Related dependency upgrade
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created November 1, 2022 at 11:57 PM
Updated December 20, 2022 at 10:59 AM
Resolved November 2, 2022 at 4:22 PM
TestRail: Cases
TestRail: Runs
Upgrade kafkaclients from 3.1.0 to 3.2.3 fixing Memory Allocation with Excessive Size Value:
https://nvd.nist.gov/vuln/detail/CVE-2022-34917
Upgrade kafka-junit from 3.1.0 to 3.2.2 to match the kafkaclients version.
Remove unsed httpclient. This indirectly removes commons-codec 1.11 that has Information Exposure vulnerability:
https://app.snyk.io/vuln/SNYK-JAVA-COMMONSCODEC-561518
Remove JUnitParams from runtime, use for test only. This indirectly removes junit 4.12 from runtime that has an Information Exposure vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2020-15250
Upgrade springframework from 5.2.8.RELEASE to 5.3.22. Note that open source spring 5.2.* has reached it's end of life and has been out of support since 2021-12-31: https://spring.io/projects/spring-framework#support
Remove unused spring-beans 5.2.8.RELEASE dependency that has the Spring4Shell Remote Code Execution vulnerability (FOLIO-3466):
https://nvd.nist.gov/vuln/detail/CVE-2022-22965