[FOLIO-3639] spring-module-core Spring Boot 2.7.5, Jackson 2.14.0, snakeyaml 1.33 Created: 09/Nov/22  Updated: 17/Nov/22  Resolved: 14/Nov/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P2
Reporter: Julian Ladisch Assignee: Julian Ladisch
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Gantt End to Start
has to be done before FOLIO-3642 Release spring-module-core 1.1.2 for ... Closed
Sprint:
Development Team: Core: Platform
RCA Group: Related dependency upgrade

 Description   

Upgrade Spring Boot from 2.6.7 to 2.7.5.

End of support for Open Source Spring Boot 2.6 is 2022-11-18: https://spring.io/projects/spring-boot#support

Upgrading Spring Boot upgrades spring-beans from 5.3.19 to 5.3.23 fixing Denial of Service (DoS):
https://nvd.nist.gov/vuln/detail/CVE-2022-22970

Upgrading Spring Boot upgrades tomcat-embed-core from 9.0.62 to 9.0.68 fixing HTTP Request Smuggling:
https://nvd.nist.gov/vuln/detail/CVE-2022-42252

Upgrade Jackson from 2.13.2.1 (transitive version from Spring Boot) to 2.14.0 fixing Denial of Service (DoS):
https://nvd.nist.gov/vuln/detail/CVE-2022-42003
https://nvd.nist.gov/vuln/detail/CVE-2022-42004

Upgrade snakeyaml from 1.29 (transitive version from Spring Boot) to 1.33 fixing Denial of Service (DoS) and Stack-based Buffer Overflow:
https://nvd.nist.gov/vuln/detail/CVE-2022-25857
https://nvd.nist.gov/vuln/detail/CVE-2022-38749
https://nvd.nist.gov/vuln/detail/CVE-2022-38750
https://nvd.nist.gov/vuln/detail/CVE-2022-38751
https://nvd.nist.gov/vuln/detail/CVE-2022-38752



 Comments   
Comment by William Welling [ 09/Nov/22 ]

We may require a dependency plugin to determine the extent of issues. I am thinking a sweeping addition could provide better reporting documentation.

Comment by Ann-Marie Breaux (Inactive) [ 10/Nov/22 ]

Hi Julian Ladisch and William Welling Which dev team should this bug belong to?

Comment by Marc Johnson [ 17/Nov/22 ]

Ann-Marie Breaux

Which dev team should this bug belong to?

Julian Ladisch made the change, so I've associated it with Core Platform.

Generated at Thu Feb 08 23:29:36 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.