Java CVEs related to authentication #2315
Assignees
Labels
Comments
rasmi
added
bug
rasmi
added a commit
that referenced
this issue
Apr 20, 2022
See #2315. This only updates the x86/amd64 version, and does not bump the arm64 version, since it is [not yet available](https://hub.docker.com/r/bellsoft/liberica-openjdk-alpine/tags). arm64 is not urgent (to my knowledge) since it is only used for local Mac M1 development.
bion
added a commit
that referenced
this issue
Apr 26, 2022
* Update OpenJDK to 11.0.14.1 See #2315. This only updates the x86/amd64 version, and does not bump the arm64 version, since it is [not yet available](https://hub.docker.com/r/bellsoft/liberica-openjdk-alpine/tags). arm64 is not urgent (to my knowledge) since it is only used for local Mac M1 development. * Also update prod Dockerfile Co-authored-by: bion <bionj@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Recent Java versions have a cryptography vulnerability allowing attackers to forge certain auth credentials/tokens, including OIDC and SAML. See details here and here.
CiviForm relies on OpenJDK 11, which is not affected by this specific auth issue, but is affected by other CVEs. We should upgrade OpenJDK to a version >11.0.14 to resolve those issues, and notify users to upgrade their CiviForm installations accordingly.
The text was updated successfully, but these errors were encountered: