Skip to:
Update Spring from 2.6.3 to 2.6.6.
This fixes these vulnerabilities:
Spring4Shell spring-beans RCE https://nvd.nist.gov/vuln/detail/CVE-2022-22965
PostgreSQL Arbitrary Code Injection https://nvd.nist.gov/vuln/detail/CVE-2022-26520
PostgreSQL RCE https://nvd.nist.gov/vuln/detail/CVE-2022-21724
jackson-databind DoS https://nvd.nist.gov/vuln/detail/CVE-2020-36518
liquibase-core XML External Entity (XXE) Injection https://nvd.nist.gov/vuln/detail/CVE-2022-0839
Checking that the Docker container actually contains the upgraded libraries:
These are fixed versions, therefore I close as done. Thanks!
already released and deployed to lotus bugfest can you review and probably close the issue?
No, it has already been merged to master.
Thanks. do we need to create a user story for this work to be done in Morning Glory too?
Yes, it fixes remote code execution vulnerabilities that should be released with next Lotus hotfix.
Update Spring from 2.6.3 to 2.6.6.
This fixes these vulnerabilities:
Spring4Shell spring-beans RCE https://nvd.nist.gov/vuln/detail/CVE-2022-22965
PostgreSQL Arbitrary Code Injection https://nvd.nist.gov/vuln/detail/CVE-2022-26520
PostgreSQL RCE https://nvd.nist.gov/vuln/detail/CVE-2022-21724
jackson-databind DoS https://nvd.nist.gov/vuln/detail/CVE-2020-36518
liquibase-core XML External Entity (XXE) Injection https://nvd.nist.gov/vuln/detail/CVE-2022-0839