Uploaded image for project: 'Imaging'
  1. Imaging
  2. MGNLIMG-217

CLONE - Update 3rd party libraries to fix security issues

    XMLWordPrintable

Details

    • Task
    • Resolution: Won't Do
    • Neutral
    • None
    • None
    • None
    • None
    • 6.2 Ramp-up 20
    • 0

    Description

      Timebox: 5 SP

      • include into 6.2 if possible; otherwise with 6.2.1.
      • include into 6.1.6

      According to a security scan there are several vulnerable libraries in Magnolia 6.1.2. Most of those are updated to a fixed version in 6.2., some are removed completely. There are 4 libraries that need to be updated still:

      Artifact 6.1.4/6.2 version Fixed version Description
      commons-net:commons-net 3.1 3.4 or later Apache Commons Net X.509 Certificate Hostname Validation Failure MitM Spoofing.
      org.javassist:javassist 3.18.2-GA 3.19.0-GA or later. Javassist main/javassist/bytecode/InstructionPrinter.java InstructionPrinter::instructionString() Function IINC Opcode Handling Unspecified Issue.
      net.sf.json-lib:json-lib 2.3-jdk15 2.4 In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
      com.squareup.okhttp3:okhttp 3.6 3.7 or later. OkHttp Cookie.java Top-level Domain Cookie Public Suffix Injection.

       

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              canh.nguyen Canh Nguyen
              canh.nguyen Canh Nguyen
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Task DoR