Details
-
Task
-
Resolution: Won't Do
-
Neutral
-
None
-
None
-
None
-
None
-
-
Empty show more show less
-
Empty show more show less
-
6.2 Ramp-up 20
-
0
Description
Timebox: 5 SP
- include into 6.2 if possible; otherwise with 6.2.1.
- include into 6.1.6
According to a security scan there are several vulnerable libraries in Magnolia 6.1.2. Most of those are updated to a fixed version in 6.2., some are removed completely. There are 4 libraries that need to be updated still:
| Artifact | 6.1.4/6.2 version | Fixed version | Description |
|---|---|---|---|
| commons-net:commons-net | 3.1 | 3.4 or later | Apache Commons Net X.509 Certificate Hostname Validation Failure MitM Spoofing. |
| org.javassist:javassist | 3.18.2-GA | 3.19.0-GA or later. | Javassist main/javassist/bytecode/InstructionPrinter.java InstructionPrinter::instructionString() Function IINC Opcode Handling Unspecified Issue. |
| net.sf.json-lib:json-lib | 2.3-jdk15 | 2.4 | In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. |
| com.squareup.okhttp3:okhttp | 3.6 | 3.7 or later. | OkHttp Cookie.java Top-level Domain Cookie Public Suffix Injection. |
Checklists
Acceptance criteria