Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade nimbus-jose-jwt to version 9.37.3 #14836

Closed
rhanton opened this issue Apr 3, 2024 · 2 comments
Closed

Upgrade nimbus-jose-jwt to version 9.37.3 #14836

rhanton opened this issue Apr 3, 2024 · 2 comments
Assignees
@jzheaux
Labels
in: build An issue in the build type: dependency-upgrade A dependency upgrade
Milestone
6.2.5

Comments

@rhanton
Copy link

rhanton commented Apr 3, 2024

Expected Behavior

According to the connect2id issue opened by folks working on spring-security in Sept at https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/441/dependency-convergence-failed-for-nimbus , spring-security moved back to v9.24.4 awaiting release of 9.37.3, which was released Dec 8, 2023 (see https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt/9.37.3). Can spring-security bump to that version safely now to prevent any potential vulns due to https://nvd.nist.gov/vuln/detail/CVE-2023-52428 perhaps?

Current Behavior

Currently spring-security is on a Sept 9, 2022 version of com.nimbusds:nimbus-jose-jwt = 9.24.4.

Context

Would love to see this bump to resolve automated checks we do via a dependency scanner for PCI compliance. Alternative would be if I can use a property to override the version used (ala some of spring-boot), or do a maven exclusion I guess.
@rhanton rhanton added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Apr 3, 2024
@rhanton
Copy link
Author

rhanton commented Apr 3, 2024

I got most of my info from reading #13843 FYI

@jzheaux jzheaux self-assigned this Apr 16, 2024
@jzheaux jzheaux added in: build An issue in the build type: dependency-upgrade A dependency upgrade and removed status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Apr 16, 2024
@jzheaux jzheaux mentioned this issue Apr 17, 2024
Closed
@jzheaux jzheaux added this to the 6.2.5 milestone Apr 17, 2024
@jzheaux jzheaux mentioned this issue Apr 17, 2024
Closed
@rhanton rhanton mentioned this issue Apr 22, 2024
Closed
jzheaux added a commit that referenced this issue Apr 23, 2024
@jzheaux
Update to Nimbus 9.37.3
992243f 
Closes gh-14836
@AlexeyTsvetkov
Copy link

@jzheaux Hi! Is it possible that 6.1.x will be updated as well?

@jzheaux jzheaux moved this to Done in Spring Security Team May 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: build An issue in the build type: dependency-upgrade A dependency upgrade
Projects
Spring Security Team
Status: Done
Milestone
6.2.5
Development

No branches or pull requests
3 participants
@AlexeyTsvetkov @jzheaux @rhanton