[FOLIO-3639] spring-module-core Spring Boot 2.7.5, Jackson 2.14.0, snakeyaml 1.33 Created: 09/Nov/22 Updated: 17/Nov/22 Resolved: 14/Nov/22 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P2 |
| Reporter: | Julian Ladisch | Assignee: | Julian Ladisch |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | |||||||||
| Development Team: | Core: Platform | ||||||||
| RCA Group: | Related dependency upgrade | ||||||||
| Description |
|
Upgrade Spring Boot from 2.6.7 to 2.7.5. End of support for Open Source Spring Boot 2.6 is 2022-11-18: https://spring.io/projects/spring-boot#support Upgrading Spring Boot upgrades spring-beans from 5.3.19 to 5.3.23 fixing Denial of Service (DoS): Upgrading Spring Boot upgrades tomcat-embed-core from 9.0.62 to 9.0.68 fixing HTTP Request Smuggling: Upgrade Jackson from 2.13.2.1 (transitive version from Spring Boot) to 2.14.0 fixing Denial of Service (DoS): Upgrade snakeyaml from 1.29 (transitive version from Spring Boot) to 1.33 fixing Denial of Service (DoS) and Stack-based Buffer Overflow: |
| Comments |
| Comment by William Welling [ 09/Nov/22 ] |
|
We may require a dependency plugin to determine the extent of issues. I am thinking a sweeping addition could provide better reporting documentation. |
| Comment by Ann-Marie Breaux (Inactive) [ 10/Nov/22 ] |
|
Hi Julian Ladisch and William Welling Which dev team should this bug belong to? |
| Comment by Marc Johnson [ 17/Nov/22 ] |
Julian Ladisch made the change, so I've associated it with Core Platform. |