Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

backport of PR #5047 - Update library dependencies to address CVEs #5048

Merged
merged 2 commits into from Jul 18, 2019

Conversation

@ahormazabal
Copy link
Contributor

commented Jul 11, 2019

Backport from: #5047

This PR updates the following library versions:

Dependency From To
jackson-databind 2.8.11 2.9.9.1
spring-security 4.2.7 4.2.13
logback 1.1.11 1.2.3
postgresql-jdbc 42.2.2 42.2.6
h2 1.4.197 1.4.199

Addresses several CVEs reported on:
#5002
#4979
#4463
#4464
#4465
#4466

CVEs addressed are:

  • logback: CVE-2017-5929
  • spring-security: CVE-2019-11272
  • postgresql-jdbc: CVE-2018-10936
  • h2: CVE-2018-10054
  • jackson-databind:
    CVE-2018-14721
    CVE-2018-14721
    CVE-2018-19360
    CVE-2018-19361
    CVE-2018-19362
    CVE-2018-14718
    CVE-2018-14719
    CVE-2018-14720
    CVE-2018-14718
    CVE-2018-14719
    CVE-2018-14720
    CVE-2018-19362
    CVE-2018-19360
    CVE-2018-19361
    CVE-2018-5968
    CVE-2018-5968
    CVE-2019-12086
    CVE-2019-12086
    CVE-2019-5427
    CVE-2017-15095
    CVE-2017-17485
    CVE-2017-7525
    CVE-2018-12022
    CVE-2018-12023
    CVE-2018-14718
    CVE-2018-14719
    CVE-2018-14720
    CVE-2018-14721
    CVE-2018-19360
    CVE-2018-19361
    CVE-2018-19362
    CVE-2018-5968
    CVE-2018-7489
    CVE-2019-12086
Alberto Hormazabal

@ahormazabal ahormazabal added the cve label Jul 11, 2019

@ahormazabal ahormazabal added this to the 3.0.24 milestone Jul 11, 2019

@ahormazabal ahormazabal requested review from sjrd218 and gschueler Jul 11, 2019

Alberto Hormazabal

@gschueler gschueler merged commit 42530ca into rundeck:maint-3.0.x Jul 18, 2019

20 checks passed

Mergeable Mergeable Run has been Completed!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
security/snyk - build.gradle (rundeck) No manifest changes detected
security/snyk - core/build.gradle (rundeck) No new issues
Details
security/snyk - plugins/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/copyfile-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/flow-control-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/git-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/jasypt-encryption-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/job-state-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/localexec-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/orchestrator-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/script-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/source-refresh-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/stub-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/upvar-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - rundeck-storage/build.gradle (rundeck) No new issues
Details
security/snyk - rundeckapp/build.gradle (rundeck) No new issues
Details
security/snyk - rundeckapp/grails-spa/package.json (rundeck) No manifest changes detected
security/snyk - rundeckapp/metricsweb/build.gradle (rundeck) No manifest changes detected
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.