|
Timebox: 5 SP
- include into 6.2 if possible; otherwise with 6.2.1.
- include into 6.1.6
According to a security scan there are several vulnerable libraries in Magnolia 6.1.2. Most of those are updated to a fixed version in 6.2., some are removed completely. There are 4 libraries that need to be updated still:
| Artifact |
6.1.4/6.2 version |
Fixed version |
Description |
| commons-net:commons-net |
3.1 |
3.4 or later |
Apache Commons Net X.509 Certificate Hostname Validation Failure MitM Spoofing. |
| org.javassist:javassist |
3.18.2-GA |
3.19.0-GA or later. |
Javassist main/javassist/bytecode/InstructionPrinter.java InstructionPrinter::instructionString() Function IINC Opcode Handling Unspecified Issue. |
| net.sf.json-lib:json-lib |
2.3-jdk15 |
2.4 |
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. |
| com.squareup.okhttp3:okhttp |
3.6 |
3.7 or later. |
OkHttp Cookie.java Top-level Domain Cookie Public Suffix Injection. |
|