[MODSER-1] Upgrade hibernate, postgresql, kafka, liquibase, commons-io, opencsv Created: 21/Feb/23 Updated: 20/Mar/23 Resolved: 20/Mar/23 |
|
| Status: | Closed |
| Project: | mod-serials-management |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | TBD |
| Reporter: | Julian Ladisch | Assignee: | Jack Golding |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | |||||||||
| Development Team: | K-Int | ||||||||
| RCA Group: | Related dependency upgrade | ||||||||
| Description |
|
Upgrade dependencies that have known security vulnerabilities: Upgrade hibernate-core from 5.4.19.Final to the latest 5.4.x version 5.4.33.Final fixing SQL Injection: Upgrade postgresql JDBC from 42.3.1 to latest 42.5.x fixing SQL Injection: postgresql 42.2, 42.3 and 42.4 have reached end of life and are unsupported, see https://jdbc.postgresql.org/download/ Upgrade kafka-clients from 2.3.0 to a fixed version >= 2.7.2 fixing a Timing Attack vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2021-38153 Upgrade liquibase-core from 3.9.0 to a fixed version >= 4.8.0 fixing an XML External Entity (XXE) Injection: https://nvd.nist.gov/vuln/detail/CVE-2022-0839 Upgrade commons-io from 2.6 to a fixed version >= 2.7 fixing Directory Traversal: https://nvd.nist.gov/vuln/detail/CVE-2021-29425 Upgrade opencsv from 4.6 to a fixed version >= 5.7.1. This indirectly upgrades commons-beanutils 1.9.3 that has Deserialization of Untrusted Data: https://nvd.nist.gov/vuln/detail/CVE-2019-10086 |
| Comments |
| Comment by Julian Ladisch [ 21/Feb/23 ] |
|
Please adjust the Jira as needed. If a dependency is not upgraded because mod-serials-management is not affected by the vulnerability please add a comment why. |
| Comment by Jack Golding [ 22/Feb/23 ] |
|
postgresql, kafka-clients, commons-io and opencsv have been bumped, hibernate will require a grails bump/upgrade before it can be done and liquibase will need an upgrade due to a breaking change in a minor version |
| Comment by Julian Ladisch [ 23/Feb/23 ] |
|
Hi Jack, thanks you for the fast response. Why requires the patch version upgrade of hibernate-core from 5.4.19.Final to 5.4.33.Final a grails bump? |
| Comment by Jack Golding [ 23/Feb/23 ] |
|
Hi Julian Apologies for that, I was told that bumping hibernate-core would require a grail bump but we were under the impression that this was the minor version change to 5.6.x The hibernate-core has now been bumped to 5.4.33.Final |