<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 22:30:57 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[MODSER-1] Upgrade hibernate, postgresql, kafka, liquibase, commons-io, opencsv</title>
                <link>https://folio-org.atlassian.net/browse/MODSER-1</link>
                <project id="10263" key="MODSER">mod-serials-management</project>
                    <description>&lt;p&gt;Upgrade dependencies that have known security vulnerabilities:&lt;/p&gt;

&lt;p&gt;Upgrade hibernate-core from 5.4.19.Final to the latest 5.4.x version 5.4.33.Final fixing SQL Injection:&lt;br/&gt;
&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2020-25638&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2020-25638&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Upgrade postgresql JDBC from 42.3.1 to latest 42.5.x fixing SQL Injection:&lt;br/&gt;
&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-31197&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2022-31197&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;postgresql 42.2, 42.3 and 42.4 have reached end of life and are unsupported, see &lt;a href=&quot;https://jdbc.postgresql.org/download/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://jdbc.postgresql.org/download/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Upgrade kafka-clients from 2.3.0 to a fixed version &amp;gt;= 2.7.2 fixing a Timing Attack vulnerability: &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2021-38153&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2021-38153&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Upgrade liquibase-core from 3.9.0 to a fixed version &amp;gt;= 4.8.0 fixing an XML External Entity (XXE) Injection: &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-0839&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2022-0839&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Upgrade commons-io from 2.6 to a fixed version &amp;gt;= 2.7 fixing Directory Traversal: &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2021-29425&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2021-29425&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Upgrade opencsv from 4.6 to a fixed version &amp;gt;= 5.7.1. This indirectly upgrades commons-beanutils 1.9.3 that has Deserialization of Untrusted Data: &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2019-10086&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2019-10086&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="79223">MODSER-1</key>
            <summary>Upgrade hibernate, postgresql, kafka, liquibase, commons-io, opencsv</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10005" iconUrl="https://dev.folio.org/assets/jira-priority/tbd.svg">TBD</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="712020:4a234957-38d6-4dec-a4d6-9d24dda2acf2">Jack Golding</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Tue, 21 Feb 2023 12:49:20 +0000</created>
                <updated>Mon, 20 Mar 2023 13:56:56 +0000</updated>
                            <resolved>Mon, 20 Mar 2023 13:56:56 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                                <comments>
                                                            <comment id="188090" author="5ee89462f7aa140abd82d11d" created="Tue, 21 Feb 2023 12:51:47 +0000"  >&lt;p&gt;Please adjust the Jira as needed.&lt;/p&gt;

&lt;p&gt;If a dependency is not upgraded because mod-serials-management is not affected by the vulnerability please add a comment why.&lt;/p&gt;</comment>
                                                            <comment id="188091" author="712020:4a234957-38d6-4dec-a4d6-9d24dda2acf2" created="Wed, 22 Feb 2023 13:56:34 +0000"  >&lt;p&gt;postgresql, kafka-clients, commons-io and opencsv have been bumped, hibernate will require a grails bump/upgrade before it can be done and liquibase will need an upgrade due to a breaking change in a minor version&lt;/p&gt;</comment>
                                                            <comment id="188092" author="5ee89462f7aa140abd82d11d" created="Thu, 23 Feb 2023 12:56:03 +0000"  >&lt;p&gt;Hi Jack,&lt;/p&gt;

&lt;p&gt;thanks you for the fast response.&lt;/p&gt;

&lt;p&gt;Why requires the patch version upgrade of hibernate-core from 5.4.19.Final to 5.4.33.Final a grails bump?&lt;/p&gt;</comment>
                                                            <comment id="188093" author="712020:4a234957-38d6-4dec-a4d6-9d24dda2acf2" created="Thu, 23 Feb 2023 14:33:38 +0000"  >&lt;p&gt;Hi Julian&lt;/p&gt;

&lt;p&gt;Apologies for that, I was told that bumping hibernate-core would require a grail bump but we were under the impression that this was the minor version change to 5.6.x&lt;/p&gt;

&lt;p&gt;The hibernate-core has now been bumped to 5.4.33.Final&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="78302">MODOA-47</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10159"><![CDATA[K-Int]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10385"><![CDATA[Related dependency upgrade]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i06g5f:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 22 Feb 2023 13:56:34 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>