Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-31197 in pgjdbc transitive dependency (requires manual dependency override) #5062

Closed
dbahatSAP opened this issue Aug 24, 2022 · 5 comments · Fixed by spring-cloud/spring-cloud-dataflow-build#83
Closed

CVE-2022-31197 in pgjdbc transitive dependency (requires manual dependency override) #5062

dbahatSAP opened this issue Aug 24, 2022 · 5 comments · Fixed by spring-cloud/spring-cloud-dataflow-build#83
Assignees
@onobc
Labels
status/in-progress Something is happening
Milestone
2.10.0-M2

Comments

@dbahatSAP
Copy link
Contributor

dbahatSAP commented Aug 24, 2022
edited

Hi,

Following decision by both pgjdbc maintainers and spring boot team, security issue CVE-2022-31197 in pgjdbc will only get patched with the release of spring boot 3 in a few months.
To mitigate, can we please manually override postgresql.version with version >= 42.4.1 like was suggested by both teams?

Thanks,
-David
@github-actions github-actions bot added the status/need-triage Team needs to triage and take a first look label Aug 24, 2022
@onobc
Copy link
Contributor

onobc commented Aug 24, 2022

We will look into doing this in 2.10.0-M2 which should be avaliable in ~2wks.

@dbahatSAP
Copy link
Contributor Author

since it's a security issue, would be great if you can also backport into the latest stable release

@onobc onobc self-assigned this Aug 24, 2022
@onobc onobc added status/in-progress Something is happening and removed status/need-triage Team needs to triage and take a first look labels Aug 24, 2022
@onobc
Copy link
Contributor

onobc commented Aug 24, 2022
edited

Thanks for the report @dbahatSAP (I forgot to say that initially).

Yes, we will look into the CVE to see if it is one that would affect SCDF. If so, we will then most likely release a patch w/ the 42.4.2. I created #5063 prior to the investigation so that you can have visibility on that as well.

Some further info:

  • SCDF 2.9.x uses SB 2.5.14 -> 42.2.25
  • SCDF 2.10.x uses SB 2.7.3 -> 42.3.6

Latest org.postgresql:postgresql:42.4.2

@onobc onobc mentioned this issue Aug 24, 2022
Closed
@dbahatSAP
Copy link
Contributor Author

Thanks! Actually for SCDF 2.9.x we can upgrade a minor version to 42.2.26 (it's just the 42.3.x generation that will remain without a fix)

@onobc
Copy link
Contributor

onobc commented Aug 24, 2022

That's good to know @dbahatSAP - I will comment in that ticket.

@onobc onobc added this to the 2.10.0-M2 milestone Sep 7, 2022
onobc added a commit to onobc/spring-cloud-dataflow-build that referenced this issue Sep 7, 2022
@onobc
Force postgresql 42.4.2 to address CVE
a9dcc81 
Fixes spring-cloud/spring-cloud-dataflow#5062
@onobc onobc mentioned this issue Sep 7, 2022
Merged
onobc added a commit to spring-cloud/spring-cloud-dataflow-build that referenced this issue Sep 7, 2022
@onobc
Force postgresql 42.4.2 to address CVE (#83)
a73ba03 
Fixes spring-cloud/spring-cloud-dataflow#5062
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@onobc onobc

Labels
status/in-progress Something is happening
Projects
None yet
Milestone
2.10.0-M2
Development

Successfully merging a pull request may close this issue.

Force postgresql 42.4.2 to address CVE onobc/spring-cloud-dataflow-build
2 participants
@onobc @dbahatSAP