[MGNLIMG-217] CLONE - Update 3rd party libraries to fix security issues Created: 19/Mar/20  Updated: 20/Mar/20  Resolved: 20/Mar/20

Status: Closed
Project: Imaging
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Canh Nguyen Assignee: Canh Nguyen
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Epic Link: Support
Sprint: 6.2 Ramp-up 20
Story Points: 0

 Description   

Timebox: 5 SP

  • include into 6.2 if possible; otherwise with 6.2.1.
  • include into 6.1.6

According to a security scan there are several vulnerable libraries in Magnolia 6.1.2. Most of those are updated to a fixed version in 6.2., some are removed completely. There are 4 libraries that need to be updated still:

Artifact 6.1.4/6.2 version Fixed version Description
commons-net:commons-net 3.1 3.4 or later Apache Commons Net X.509 Certificate Hostname Validation Failure MitM Spoofing.
org.javassist:javassist 3.18.2-GA 3.19.0-GA or later. Javassist main/javassist/bytecode/InstructionPrinter.java InstructionPrinter::instructionString() Function IINC Opcode Handling Unspecified Issue.
net.sf.json-lib:json-lib 2.3-jdk15 2.4 In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
com.squareup.okhttp3:okhttp 3.6 3.7 or later. OkHttp Cookie.java Top-level Domain Cookie Public Suffix Injection.

 


Generated at Mon Feb 12 02:13:25 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.