Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Spring Boot 3.1.5, Kafka 3.5.1, mod-pubsub-client 2.12.2

Description

Upgrade spring-boot-starter-parent from 3.1.4 to 3.1.5. This indirectly upgrades tomcat-embed-core from 10.1.13 to 10.1.15 fixing Denial of Service (DoS) and Improper Input Validation and Incomplete Cleanup: https://nvd.nist.gov/vuln/detail/CVE-2023-44487 , https://nvd.nist.gov/vuln/detail/CVE-2023-45648 , https://nvd.nist.gov/vuln/detail/CVE-2023-42795

Upgrade Kafka from 3.4.1 to 3.5.1. This indirectly upgrades snappy-java from 1.1.8.4 to 1.1.10.1 fixing Allocation of Resources Without Limits or Throttling, Denial of Service (DoS), Integer Overflow or Wraparound: https://nvd.nist.gov/vuln/detail/CVE-2023-43642 , https://nvd.nist.gov/vuln/detail/CVE-2023-34455 , https://nvd.nist.gov/vuln/detail/CVE-2023-34454 , https://nvd.nist.gov/vuln/detail/CVE-2023-34453

Upgrade mod-pubsub-client from 2.9.1 to 2.12.2. This indirectly upgrades netty-codec-http2 from 4.1.97.Final to 4.1.100.Final fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-44487

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch December 20, 2023 at 12:39 PM

Works for me on Poppy bugfest environment.

JenkinsNotifications December 18, 2023 at 3:20 PM

Deployed to the Poppy bf env. Moved status to In bugfix review from status Awaiting deployment. Please proceed with the verification.

Done

Details

Assignee

Reporter

Labels

Priority

Development Team

Volaris

Parent

Fix versions

Release

Poppy (R2 2023) Bug Fix

RCA Group

Related dependency upgrade

Affected releases

Poppy (R2 2023)

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created November 5, 2023 at 2:44 PM
Updated March 26, 2024 at 11:39 PM
Resolved November 6, 2023 at 9:33 AM
Configure
TestRail: Cases
TestRail: Runs

Flag notifications