Upgrade to Undertow 2.2.0.Final #23367

snicoll · 2020-09-16T12:39:31Z

No description provided.

chadlwilson · 2020-10-01T00:35:18Z

Is a backport of this being considered to the 2.3 branch, given https://nvd.nist.gov/vuln/detail/CVE-2020-10687 has no 2.1.x fix currently?

Alternatively, users can override the dependency management to do an earlier upgrade. The upgrade looks relatively harmless as far as I can see.

snicoll · 2020-10-01T08:35:11Z

Is a backport of this being considered to the 2.3 branch

@chadlwilson As indicated on the wiki, we only upgrade third party at the patch level for any given Spring Boot patch release. Please reach out to the Undertow team if they'd consider backporting the CVE fix.

As you've mentioned, overriding dependency management is the way to go otherwise. This is covered in the documentation for both Maven and Gradle.

chadlwilson · 2020-10-01T09:56:00Z

Fair enough, thanks.

snicoll added the type: dependency-upgrade A dependency upgrade label Sep 16, 2020

snicoll added this to the 2.4.0-M3 milestone Sep 16, 2020

snicoll self-assigned this Sep 16, 2020

snicoll closed this as completed in fa03f75 Sep 16, 2020

snicoll mentioned this issue Oct 6, 2020

Upgrade to Undertow 2.2.0.Final #23592

Closed

philwebb mentioned this issue Nov 2, 2020

Upgrade to Undertow 2.2.2.Final #23669

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade to Undertow 2.2.0.Final #23367

Upgrade to Undertow 2.2.0.Final #23367

snicoll commented Sep 16, 2020

chadlwilson commented Oct 1, 2020

snicoll commented Oct 1, 2020 •

edited

chadlwilson commented Oct 1, 2020

Upgrade to Undertow 2.2.0.Final #23367

Upgrade to Undertow 2.2.0.Final #23367

Comments

snicoll commented Sep 16, 2020

chadlwilson commented Oct 1, 2020

snicoll commented Oct 1, 2020 • edited

chadlwilson commented Oct 1, 2020

snicoll commented Oct 1, 2020 •

edited