Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some vulnerability fixes #2610

Merged
merged 6 commits into from
Mar 22, 2024
Merged

Some vulnerability fixes #2610

merged 6 commits into from
Mar 22, 2024

Conversation

tesshucom
Copy link
Owner

@tesshucom tesshucom commented Mar 22, 2024
edited

There is no change in functionality. It will include some security fixes.

Most of these are unrelated to the running for Jpsonic server. However at Jpsonic, we believe it is very important to keep platform caveats to a minimum. Too many warnings can hide a really big problem 馃檮

馃惀Maintenance

Fix not to install curl on Alpine

Alpine's Jpsonic image had curl installed. This has been changed so that it is no longer installed as it was only used during testing. (Fixed to use "curl on Github" during testing.) CVE-2024-0853 Basically, our policy is to eliminate unnecessary modules.

CVE warning counts are transitive. However, at the time this patch is released, the analysis results for the entire Docker image will be as follows.

Jpsonic - Alpine

image

Jpsonic - Ubunts (Jammy)

image

What's the last CVE warning?

The last CVE warning is CVE-2024-25062. This has already been resolved in the upstream Alpine.

image

In other words, there is a problem with Jpsonic's layer. You can use the following command to find out where the problem occurs.

docker exec jpsonic apk info -r libxml2

libxml2-2.11.7-r0 is required by:
ffmpeg-libavformat-6.1.1-r0

If ffmpeg is updated in the near future, this may be resolved. False positive ? 馃檮

(I do not consider this warning to be serious.)

A few days later, security checks on Docker no longer display warnings regarding CVE-2024-25062. It seems like it was a false positive after all.

snyk-bot and others added 6 commits March 21, 2024 19:08
@snyk-bot @tesshucom
Bump spring-security from 6.2.2 to 6.2.3
be1318d 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6457293
@tesshucom
Bump spring-web from 6.1.4 to 6.1.5
a09479b 
Fix for CVE-2024-22259
@dependabot @tesshucom
Bump org.apache.commons:commons-configuration2 in /jpsonic-main
4e37aea 
Bumps org.apache.commons:commons-configuration2 from 2.9.0 to 2.10.1.

---
updated-dependencies:
- dependency-name: org.apache.commons:commons-configuration2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@tesshucom
Fix not to install curl on Alpine Image
2191640
@tesshucom
Merge branch 'hotfix' into release
66cae99
@tesshucom
Version iterate
a733b0e
@tesshucom tesshucom added the type: hotfix Should be in patch release instead of next version release label Mar 22, 2024
@tesshucom tesshucom added this to the jpsonic 114.1 milestone Mar 22, 2024
@tesshucom tesshucom self-assigned this Mar 22, 2024
@tesshucom tesshucom merged commit 530ecc1 into master Mar 22, 2024
1 of 2 checks passed
@tesshucom tesshucom deleted the release branch March 22, 2024 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tesshucom tesshucom

Labels
type: hotfix Should be in patch release instead of next version release
Projects
None yet
Milestone
jpsonic 114.1
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tesshucom @snyk-bot