Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump spring version to 5.3.20 to solve CVE-2022-22970 #15699

Merged
merged 1 commit into from
May 31, 2022
Merged

Bump spring version to 5.3.20 to solve CVE-2022-22970 #15699

merged 1 commit into from
May 31, 2022

Conversation

hezhangjian
Copy link
Member

Modifications

Bump spring version from 5.3.19 to 5.3.20 to solve CVE-2016-1000027

@hezhangjian hezhangjian added doc-not-needed Your PR changes do not impact docs dependencies labels May 21, 2022
@hezhangjian hezhangjian self-assigned this May 21, 2022
@hezhangjian
Copy link
Member Author

/pulsarbot run-failure-checks

@hezhangjian hezhangjian changed the title Bump spring version from 5.3.19 to 5.3.20 to solve CVE-2016-1000027 [WIP] Bump spring version to solve CVE-2016-1000027 May 22, 2022
@nicoloboschi
Copy link
Contributor

@Shoothzj we have to add a suppression
spring-projects/spring-framework#24434

@nicoloboschi
Copy link
Contributor

Also we need suppressions for the opestack libraries, they are confused with the original openstack-swift and openstack-keystone jars. (need to check more in detail)

@cbornet
Copy link
Contributor

cbornet commented May 31, 2022

PR for openstack is #15829

@cbornet
Copy link
Contributor

cbornet commented May 31, 2022

@Shoothzj we have to add a suppression
spring-projects/spring-framework#24434

@Shoothzj do you have time to do it ?

@cbornet
Copy link
Contributor

cbornet commented May 31, 2022

LGTM. Maybe we can add the suppression in a foillow-up PR ?

nicoloboschi
nicoloboschi requested changes May 31, 2022
View reviewed changes
Copy link
Contributor

@nicoloboschi nicoloboschi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is useless to upgrade spring. it doesn't solve the sec vulnerability
spring-projects/spring-framework#24434

@nicoloboschi nicoloboschi changed the title [WIP] Bump spring version to solve CVE-2016-1000027 Bump spring version to 5.3.20 to solve CVE-2022-22970 May 31, 2022
@nicoloboschi nicoloboschi merged commit a9cf463 into apache:master May 31, 2022
@nicoloboschi nicoloboschi added this to the 2.11.0 milestone May 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HQebupt HQebupt HQebupt approved these changes

@eolivelli eolivelli eolivelli approved these changes

@nicoloboschi nicoloboschi nicoloboschi approved these changes

Assignees

@hezhangjian hezhangjian

Labels
doc-not-needed Your PR changes do not impact docs
Projects
None yet
Milestone
2.11.0
Development

Successfully merging this pull request may close these issues.
5 participants
@hezhangjian @nicoloboschi @cbornet @HQebupt @eolivelli