Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: upgrade embedded tomcat to 9.0.62 #14733

Merged
merged 2 commits into from
Apr 4, 2022
Merged

chore: upgrade embedded tomcat to 9.0.62 #14733

merged 2 commits into from
Apr 4, 2022

Conversation

zhem0004
Copy link
Contributor

@zhem0004 zhem0004 commented Apr 4, 2022

What does this PR do?

This PR makes the version of embedded tomcat explicitly specified, thus also upgrading it

Motivation

Recently it has been reported that there is a voulnerability in security of spring. One option to to fix it,, according to announcement, is to have tomcat of version 9.0.62.

( https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement )

More

The issue was reported in #14719

@antobinary antobinary added this to the Release 2.5 milestone Apr 4, 2022
@antobinary antobinary changed the title upgrade embedded tomcat chore: upgrade embedded tomcat to 9.0.62 Apr 4, 2022
antobinary
antobinary reviewed Apr 4, 2022
View reviewed changes
bigbluebutton-web/build.gradle Outdated
@@ -72,6 +72,10 @@ dependencies {
implementation "org.grails.plugins:scaffolding"
implementation "org.grails.plugins:events"
implementation "org.grails.plugins:gsp"
implementation "org.apache.tomcat.embed:tomcat-embed-core:9.0.62"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we do

tomcat-embed-version "9.0.62" like we do for version
so that next time we have to upgrade it's a 1 line change and we don't miss any dependency

@antobinary antobinary mentioned this pull request Apr 4, 2022
Closed
@antobinary antobinary merged commit 634c87f into bigbluebutton:v2.5.x-release Apr 4, 2022
@sonarcloud
Copy link

sonarcloud bot commented Apr 4, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@antobinary antobinary mentioned this pull request Apr 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antobinary antobinary antobinary left review comments

Assignees
No one assigned
Labels
target: security
Projects
None yet
Milestone
Release 2.5
Development

Successfully merging this pull request may close these issues.
2 participants
@zhem0004 @antobinary