Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump commons-compress #8354

Closed
wants to merge 1 commit into from
Closed

Bump commons-compress #8354

wants to merge 1 commit into from

Conversation

marcelstoer
Copy link

@marcelstoer marcelstoer commented Feb 21, 2024
edited

This addresses CVE-2024-25710 and CVE-2024-26308. I know your PR template says to not open PRs to bump dependencies. However, since this is security related it has IMO a higher urgency.

Fixes #8338

@marcelstoer marcelstoer requested a review from a team as a code owner February 21, 2024 06:05
@marcelstoer
Copy link
Author

@eddumelendez is there any chance this will lead to an immediate release of 1.19.6 once merged?

@eddumelendez
Copy link
Member

Hi, thanks for the PR. There is no plan to update the dependency because of a breaking change in the API. See #8169 (comment)

However, you can do it by yourself on your build file.

@marcelstoer
Copy link
Author

Yes, I understand that. However, at #8169 (comment) you said

If the upgrade is needed because of other reasons...

I thought that commons-compress having critical vulnerabilities be one of those "other" reasons.

@eddumelendez
Copy link
Member

I've tested myself that upgrading independently works perfectly fine. As a library we want to avoid users to do things like described in that thread.

@marcelstoer marcelstoer mentioned this pull request Feb 22, 2024
Open
julianladisch added a commit to folio-org/folio-vertx-lib that referenced this pull request Feb 24, 2024
@julianladisch
VERTXLIB-54: log4j 2.23.0, testcontainers 1.19.6, commons-compress 1.…
25f61ac 
…26.0

Further upgrades for Quesnelia:

Upgrade log4j from 2.22.1 to 2.23.0.

Upgrade testcontainers from 1.19.5 to 1.19.6.

Upgrade commons-compress from 1.24.0 to 1.26.0 fixing
https://nvd.nist.gov/vuln/detail/CVE-2024-25710
https://nvd.nist.gov/vuln/detail/CVE-2024-26308
see testcontainers/testcontainers-java#8354
@julianladisch julianladisch mentioned this pull request Feb 24, 2024
Merged
julianladisch added a commit to folio-org/folio-vertx-lib that referenced this pull request Feb 24, 2024
@julianladisch
VERTXLIB-54: log4j 2.23.0, testcontainers 1.19.6, commons-compress 1.…
5b062bb 
…26.0

Further upgrades for Quesnelia:

Upgrade log4j from 2.22.1 to 2.23.0.

Upgrade testcontainers from 1.19.5 to 1.19.6.

Upgrade commons-compress from 1.24.0 to 1.26.0 fixing
https://nvd.nist.gov/vuln/detail/CVE-2024-25710
https://nvd.nist.gov/vuln/detail/CVE-2024-26308
see testcontainers/testcontainers-java#8354
@hailuand
Copy link

👋🏾 @eddumelendez How'd you manage this?

I've tested myself that upgrading independently works perfectly fine. As a library we want to avoid users to do things like described in that thread.

When I try to upgrade commons-compress myself, I see a java.lang.NoClassDefFoundError: org/apache/commons/codec/Charsets failure at runtime.

@eddumelendez eddumelendez mentioned this pull request Apr 12, 2024
Closed
@ianbotsf ianbotsf mentioned this pull request May 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Vulnerable dependency commons-compress 1.24.0
3 participants
@marcelstoer @eddumelendez @hailuand