Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Scan library updates #4979

Closed
marcbejerano opened this issue Jun 19, 2019 · 4 comments

Comments

@marcbejerano
Copy link

commented Jun 19, 2019

Not necessarily a feature request but we are trying to deploy Rundeck at work and our security scan is going nuts with the number of CVE's that are popping up. Almost all are relted to outdated libraries (BouncyCastle, Jackson, Spring, etc.)

We tried updating them ourselves but it turned into far more work than we could handle (we are a two-man team building a solution for management).

@gschueler

This comment has been minimized.

Copy link
Member

commented Jun 20, 2019

Can you post the rundeck version?

@marcbejerano

This comment has been minimized.

Copy link
Author

commented Jun 20, 2019

@gschueler gschueler added the security label Jul 1, 2019

@gschueler gschueler added this to the 3.1.0-RC2 milestone Jul 8, 2019

@ahormazabal ahormazabal self-assigned this Jul 9, 2019

gschueler added a commit that referenced this issue Jul 17, 2019

Merge pull request #5047 from ahormazabal/vbumps/update-201907
Issues #5002, #4979, #4463, #4464, #4465, #4466 - Update several library dependencies to address reported CVEs.
@ahormazabal

This comment has been minimized.

Copy link
Contributor

commented Jul 18, 2019

PR #5047 and #5048 addresses the following version updates for 3.1 and 3.0.x respectively:

Dependency From To
jackson-databind 2.8.11 2.9.9.1
spring-security 4.2.7 4.2.13
logback 1.1.11 1.2.3
postgresql-jdbc 42.2.2 42.2.6
h2 1.4.197 1.4.199

The following dependencies are still in the works:

  • bouncycastle
  • spring framework
  • c3p0
  • moment.js
@gschueler

This comment has been minimized.

Copy link
Member

commented Jul 19, 2019

Closing this issue for the already fixed cves, and created a new one for the remaining ones: #5077

@gschueler gschueler closed this Jul 19, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.