[FOLIO-3931] mod-remote-sync: ehcache 2 End of Life Created: 30/Nov/23 Updated: 11/Jan/24 |
|
| Status: | Open |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P2 |
| Reporter: | Julian Ladisch | Assignee: | Ian Ibbotson (Use this one) |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||
| Sprint: | |||||||||||||||||
| Development Team: | K-Int | ||||||||||||||||
| RCA Group: | Related dependency upgrade | ||||||||||||||||
| Description |
|
Overview: mod-remote-sync uses ecache 2 that is out of support. Steps to Reproduce:
Expected Results: No ehcache dependency if mod-remote-sync doesn't need ehcache, or ehcache 3 dependency. Actual Results: ehcache 2 dependency. Additional Information: The latest ehcache 2 version comes with a relocated jetty-io dependency that has a known vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-36478 |
| Comments |
| Comment by Ann-Marie Breaux (Inactive) [ 01/Dec/23 ] |
|
Hi Julian Ladisch and Ian Ibbotson (Use this one) Which dev team should this bug be assigned to? Thank you! |