- changed status to open
Backport CVE-2023-1370 fix to 9.43.x
Issue #422
resolved
Because 10.x contains breaking changes, we would like Spring Security 6.x to stay on oauth2-oidc-sdk 9.x for the time being. Are you able to do a 9.43.x release that includes the json-smart upgrade?
Comments (5)
-
-
- changed status to resolved
This is the new 9.43.x release, all known CVEs are cleared:
version 9.43.2 (2023-05-11) * Updates JSON Smart to 2.4.10 * Updates Nimbus JOSE+JWT to 9.31 * Updates optional Google Tink to 1.8.0 * Updates optional Apache Santuario XMLSec to 2.3.3Happy coding!
-
reporter
Hi, Yavor! Thanks for this. It introduces a separate concern, though, which is that it introduces other risky changes like additional exceptions that are thrown when malformed data was previously ignored (nimbus jose jwt #511). These are good changes to be sure; however, in a maintenance release, we try and keep updates just to bug fixes.
Is there a way you could release a 9.43.x that contains only maintenance upgrades? For example, I think that Nimbus would stay on 9.24.4, JSON Smart would go to 2.4.10, Google Tink would stay on 1.7.0, an Apache Santuario would go to 2.3.3.
-
Hi Josh!
The JWT lib is reverted here.
version 9.43.3 (2023-05-16) * Reverts Nimbus JOSE+JWT to 9.24.4Google Tink was left at 1.8.0. It pulls a ProtoBuf dep, which contains several non critical CVEs in the old 1.7.0 version. ProtoBuf can be excluded because the Tink ProtoBuf aspects are never used here. I decided to keep the 1.8.0 though, to not upset scanners.
CVE-2022-3171 7.5 Uncontrolled Resource Consumption vulnerability with medium severity found CVE-2022-3509 7.5 Uncontrolled Resource Consumption vulnerability with medium severity found CVE-2022-3510 7.5 Uncontrolled Resource Consumption vulnerability with medium severity found
-
reporter
Much appreciated!
- Log in to comment
Will bump the JSON Smart on the old 9.x now