[BUILD-1125] Update to JackRabbit 2.20.11 Created: 07/Aug/23 Updated: 12/Dec/23 Resolved: 07/Aug/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | BOM 6.2.38 |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Template: |
|
||||
| Acceptance criteria: |
Empty
|
||||
| Task DoR: |
Empty
|
||||
| Release notes required: |
Yes
|
||||
| Team: | |||||
| Work Started: | |||||
| Approved: |
Yes
|
||||
| Description |
|
https://nvd.nist.gov/vuln/detail/CVE-2023-37895 Not an actual security issue as far as Magnolia is concerned, since the components involved aren't used (see also https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw). We're going to update anyway to the latest version where possible (Magnolia 6.2.x) and suppress the CVE for Magnolia 5.7.x as the latter uses a EOL version of JackRabbit (2.18.x) which no longer receives updates. —
Those look like false positives owing to the fact that the CPE for CVE-2023-37895 matches any Jackrabbit artifact cpe:2.3:a:apache:jackrabbit::::::::** |