Upgrade to Undertow 2.2.0.Final #23592

shivacharan0551 · 2020-10-06T05:58:00Z

Vulenarability

CVE-2020-10687 (https://nvd.nist.gov/vuln/detail/CVE-2020-10687) is been reported in undertow version below 2.2.0. spring-boot-starter-parent 2.3.4 is still using Undertow 2.1.4

Dependency tree
+- org.springframework.boot:spring-boot-starter-undertow:jar:2.3.4.RELEASE:compile [INFO] | +- io.undertow:undertow-core:jar:2.1.4.Final:compile

Need to upgrade and release a new update

The text was updated successfully, but these errors were encountered:

snicoll · 2020-10-06T06:04:17Z

@shivacharan0551 please consider searching the issue tracker before opening an issue. We already upgraded in 2.4.x and already indicated in that issue why we won't upgrade to a new feature release in a maintenance release of Spring Boot.

Please reach out to the Undertow team to ask them to backport. Alternatively, you can upgrade as explained in the comment I've referenced.

snicoll · 2020-10-06T06:04:42Z

Duplicate of #23367

spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 6, 2020

snicoll closed this as completed Oct 6, 2020

snicoll added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 6, 2020

snicoll marked this as a duplicate of #23367 Oct 6, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade to Undertow 2.2.0.Final #23592

Upgrade to Undertow 2.2.0.Final #23592

shivacharan0551 commented Oct 6, 2020

snicoll commented Oct 6, 2020

snicoll commented Oct 6, 2020

Upgrade to Undertow 2.2.0.Final #23592

Upgrade to Undertow 2.2.0.Final #23592

Comments

shivacharan0551 commented Oct 6, 2020

Vulenarability

snicoll commented Oct 6, 2020

snicoll commented Oct 6, 2020