Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability fixes for CVE-2018-1270, CVE-2018-1273, CVE-2018-1271, CVE-2018-1274 [SPR-16859] #21398

Closed
spring-projects-issues opened this issue May 22, 2018 · 2 comments
Labels
in: core Issues in core modules (aop, beans, core, context, expression) in: messaging Issues in messaging modules (jms, messaging) status: invalid An issue that we don't feel is valid

Comments

@spring-projects-issues
Copy link
Collaborator

Chaitrali Talegaonkar opened SPR-16859 and commented

CVE-2018-1270
CVE-2018-1273
CVE-2018-1271
(spring-messaging
Spring Data Commons
spring-webmvc)

Filenames:
spring-expression-4.3.5
spring-webmvc-4.3.5

Following are jars/third party components :
Spring-boot-starter-web-1.4.3
Spring-boot-starter-security-1.4.3
Spring-boot-starter-1.4.3
spring-context-4.3.5
foundation/db-impl
spring-context-3.2.13
spring-webmvc-4.3.5
spring-cloud-starter-consul-discovery-1.0.0.RELEASE

 

We are seeing vulnerabilities for above components. Can you please let us know timelines for porting fixes for above CVEs in these(spring-messaging,Spring Data Commons,spring-webmvc) modules?


No further details from SPR-16859

@spring-projects-issues
Copy link
Collaborator Author

Juergen Hoeller commented

These issues have all been resolved in recent versions of Spring Framework and Spring Data already. Please check the CVE reports for details:

https://pivotal.io/security/cve-2018-1270
https://pivotal.io/security/cve-2018-1273
https://pivotal.io/security/cve-2018-1271
https://pivotal.io/security/cve-2018-1274

In short, we recommend an upgrade to the latest Spring Framework and Spring Data maintenance releases in your branches (currently 4.3.17 and Ingalls SR11, respectively).

@spring-projects-issues
Copy link
Collaborator Author

Chaitrali Talegaonkar commented

Okay. Thank you.

@spring-projects-issues spring-projects-issues added type: bug A general bug status: invalid An issue that we don't feel is valid in: messaging Issues in messaging modules (jms, messaging) in: core Issues in core modules (aop, beans, core, context, expression) and removed type: bug A general bug labels Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: core Issues in core modules (aop, beans, core, context, expression) in: messaging Issues in messaging modules (jms, messaging) status: invalid An issue that we don't feel is valid
Projects
None yet
Development

No branches or pull requests

1 participant