Skip to content

Address CVE-2023-1370 #13146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 15, 2023
Merged

Address CVE-2023-1370 #13146

merged 4 commits into from
May 15, 2023

Conversation

fredbalves86
Copy link
Contributor

@fredbalves86 fredbalves86 commented May 9, 2023
edited
Loading

Bump oauth2-oidc-sdk to 10.7.1 to update json-smart to 2.4.10

oauth2-oidc-sdk:9.43.1 uses json-smart-2.4.8 which is vulnerable to the following CVE-2023-1370

Updated the version to 10.7.1 to use json-smart-2.4.10 to fix the vulnerability

@fredbalves86
Address CVE-2023-1370
a4f9d41 
Bump oauth2-oidc-sdk to 10.7.1 to update json-smart to 2.4.10
@pivotal-cla
Copy link

@fredbalves86 Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-cla
Copy link

@fredbalves86 Thank you for signing the Contributor License Agreement!

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 9, 2023
@jzheaux
Copy link
Contributor

jzheaux commented May 10, 2023

Thanks for the PR, @fredbalves86. Since oauth2-oidc-sdk:10.x contains breaking changes, I'd like to try and wait until Spring Security 7. In the meantime, I wonder if the Nimbus team would consider backporting the CVE fix to 9.43.x.

@jzheaux jzheaux added in: build An issue in the build type: dependency-upgrade A dependency upgrade type: breaks-passivity A change that breaks passivity with the previous release and removed status: waiting-for-triage An issue we've not yet triaged labels May 10, 2023
@jzheaux jzheaux self-assigned this May 10, 2023
@jzheaux
Copy link
Contributor

jzheaux commented May 10, 2023

I've logged an issue to see what response we get.

@jzheaux jzheaux added the status: blocked An issue that's blocked on an external project change label May 10, 2023
@fredbalves86
Address CVE-2023-1370
79f3318 
Change oauth2-oidc-sdk to 9.43.2
@fredbalves86
Copy link
Contributor Author

I've logged an issue to see what response we get.

They've released the new version 9.43.2. Updated the PR with the new commit

@jzheaux jzheaux removed status: blocked An issue that's blocked on an external project change type: breaks-passivity A change that breaks passivity with the previous release labels May 15, 2023
@jzheaux jzheaux added this to the 5.8.4 milestone May 15, 2023
@jzheaux jzheaux merged commit ed0369a into spring-projects:5.8.x May 15, 2023
@jzheaux
Copy link
Contributor

jzheaux commented May 15, 2023

Thanks, @fredbalves86! This is now merged into 5.8.x, 6.0.x, and main.

@fredbalves86 fredbalves86 deleted the bump_oauth2-oidc-sdk_to_10.7.1 branch May 16, 2023 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jzheaux jzheaux

Labels

in: build An issue in the build type: dependency-upgrade A dependency upgrade

Projects

None yet

Milestone

5.8.4

Development

Successfully merging this pull request may close these issues.

4 participants

@fredbalves86 @pivotal-cla @jzheaux @spring-projects-issues