Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issues #5002, #4979, #4463, #4464, #4465, #4466 - Update several library dependencies to address reported CVEs. #5047

Merged
merged 8 commits into from Jul 17, 2019

Conversation

@ahormazabal
Copy link
Contributor

commented Jul 11, 2019

This PR updates the following library versions:

Dependency From To
jackson-databind 2.8.11 2.9.9.1
spring-security 4.2.7 4.2.13
logback 1.1.11 1.2.3
postgresql-jdbc 42.2.2 42.2.6
h2 1.4.197 1.4.199

Addresses several CVEs reported on:
#5002
#4979
#4463
#4464
#4465
#4466

CVEs addressed are:

  • logback: CVE-2017-5929
  • spring-security: CVE-2019-11272
  • postgresql-jdbc: CVE-2018-10936
  • h2: CVE-2018-10054
  • jackson-databind:
    CVE-2018-14721
    CVE-2018-14721
    CVE-2018-19360
    CVE-2018-19361
    CVE-2018-19362
    CVE-2018-14718
    CVE-2018-14719
    CVE-2018-14720
    CVE-2018-14718
    CVE-2018-14719
    CVE-2018-14720
    CVE-2018-19362
    CVE-2018-19360
    CVE-2018-19361
    CVE-2018-5968
    CVE-2018-5968
    CVE-2019-12086
    CVE-2019-12086
    CVE-2019-5427
    CVE-2017-15095
    CVE-2017-17485
    CVE-2017-7525
    CVE-2018-12022
    CVE-2018-12023
    CVE-2018-14718
    CVE-2018-14719
    CVE-2018-14720
    CVE-2018-14721
    CVE-2018-19360
    CVE-2018-19361
    CVE-2018-19362
    CVE-2018-5968
    CVE-2018-7489
    CVE-2019-12086
@gschueler

This comment has been minimized.

Copy link
Member

commented Jul 13, 2019

i see the jettyVersion prop is removed from gradle.properties, and the deps in the gradle file have the version removed, what version will it select?

@ahormazabal

This comment has been minimized.

Copy link
Contributor Author

commented Jul 13, 2019

I removed it because our version of spring-boot already resolves jetty to 9.4.11.v20180605
Also there is no need to put the version at build.gradle as i discovered that dependencies defined by spring boot can be configured directly at gradle.properties.

@gschueler gschueler merged commit 6a645ed into rundeck:master Jul 17, 2019

20 checks passed

Mergeable Mergeable Run has been Completed!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
security/snyk - build.gradle (rundeck) No manifest changes detected
security/snyk - core/build.gradle (rundeck) No new issues
Details
security/snyk - plugins/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/copyfile-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/flow-control-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/git-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/jasypt-encryption-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/job-state-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/localexec-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/orchestrator-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/script-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/source-refresh-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/stub-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/upvar-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - rundeck-storage/build.gradle (rundeck) No new issues
Details
security/snyk - rundeckapp/build.gradle (rundeck) No new issues
Details
security/snyk - rundeckapp/grails-spa/package.json (rundeck) No manifest changes detected
security/snyk - rundeckapp/metricsweb/build.gradle (rundeck) No manifest changes detected

gschueler added a commit that referenced this pull request Jul 18, 2019

Merge pull request #5048 from ahormazabal/backports/vbumps-201907
backport of PR #5047 - Update library dependencies to address CVEs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.