Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Misalignment of spring-security-oauth2-client versions in spring-cloud-dataflow-server module #5171

Closed
klopfdreh opened this issue Jan 2, 2023 · 4 comments
Closed

Misalignment of spring-security-oauth2-client versions in spring-cloud-dataflow-server module #5171

klopfdreh opened this issue Jan 2, 2023 · 4 comments
Assignees
@corneil
Labels
area/dependencies Belongs project dependencies
Milestone
2.10.3

Comments

@klopfdreh
Copy link
Contributor

klopfdreh commented Jan 2, 2023
edited

Description:
Due to the CVE cve-2022-31690 (https://tanzu.vmware.com/security/cve-2022-31690) we just wanted to upgrade to SCDF 2.10.0.

I just saw that the dependencies spring-cloud-services-starter-config-client and spring-cloud-dataflow-rest-client provide spring-security-oauth2-client in version 5.7.3 but Spring Boot 2.7.6 provides spring-security-oauth2-client 5.7.5

Release versions:
2.10.0

Custom apps:

Steps to reproduce:
Just checkout the project and see the dependency graph.

Screenshots:

Additional context:
As a workaround we excluded spring-security-oauth2-client from those dependency and added it in the right version.
@github-actions github-actions bot added the status/need-triage Team needs to triage and take a first look label Jan 2, 2023
@corneil corneil self-assigned this Jan 3, 2023
@corneil corneil added area/dependencies Belongs project dependencies and removed status/need-triage Team needs to triage and take a first look labels Jan 3, 2023
@corneil
Copy link
Contributor

corneil commented Jan 3, 2023

Create PR to update to Spring Boot 2.7.7 spring-cloud/spring-cloud-dataflow-build#94

@klopfdreh
Copy link
Contributor Author

This will not resolve the issue as the outdated dependency is coming from others.

@markpollack markpollack added this to the 2.10.1 milestone Jan 5, 2023
@corneil
Copy link
Contributor

corneil commented Jan 11, 2023

Create PR spring-cloud/spring-cloud-dataflow-build#96

@corneil corneil closed this as completed Jan 12, 2023
@klopfdreh
Copy link
Contributor Author

klopfdreh commented Mar 8, 2023
edited

Again. This issue is not fixed. I updated to SCDF 2.10.1 and still have this issue.

image

spring-security-oauth2-client is at version 5.7.3 while all other spring-security dependencies are at 5.7.6

@klopfdreh klopfdreh mentioned this issue Mar 8, 2023
Closed
@corneil corneil modified the milestones: 2.10.1, 2.10.3 Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corneil corneil

Labels
area/dependencies Belongs project dependencies
Projects
None yet
Milestone
2.10.3
Development

No branches or pull requests
3 participants
@markpollack @corneil @klopfdreh