CVE-2023-5072 - Denial of Service in JSON-Java versions up to and including 20230618. #789
Comments
|
@elrob Thanks for letting us know. As @johnjaylward posted, it seems to me that both vulnerabilities have been addressed and it is only necessary to cut a new release. I don't think any additional code changes are needed. |
|
@stleary can you already tell when the new release with the fix will be created? |
|
Yes, the new release will come out later today. |
|
Hi @stleary, Could you pls let me know when we can expect the release? Is there a lower version that we can use to avoid hitting this vulnerability |
|
Release |
|
@stleary was it strictly necessary to require JDK 8 for this release? |
|
@lhazlewood It was not strictly necessary. |
|
@elrob @TimoBuechert Release |
|
@stleary I maintain a library that is used with both Java and Android, and we support JDK 7 (at the moment) mostly for Android's purposes (which uses |
|
Haven't tested it thoroughly yet, but our main issue is that Not sure if it's an administration error, or if they feel that I'll try to contact SonaType to see whats up. Update: opened support ticket:
Update 2: apparently there's a dedicated place to submit corrections. So I've done so. |
|
@PayBas Thanks for checking. Perhaps they found a different way to recreate the problem. |
|
If there is to be another release for this, would it be possible to build with JDK 7? My maven profile workaround didn't work as I expected. If not, I'll understand, but I thought I'd ask in case it wasn't too difficult a request to entertain. |
|
@stleary it seems to have worked. https://ossindex.sonatype.org/component/pkg:maven/org.json/json@20231013
|
|
The CVE still appears to be under analysis, but hopefully it will be cleared soon, too. |
|
@lhazlewood Yes, this can be done. Will the same code in a different repo work for you? |
|
@stleary how do you mean different repo? |
|
@lhazlewood It has not been decided yet. Might be a different repo that is published to Maven and tracks JSON-Java but is Java 7 compatible, or #741 might be reverted, which could get complicated. Do you have any thoughts or concerns about either option? |
I think it would be best if we could make a The Does that work for you @stleary ? |
|
@stleary @johnjaylward that sounds like a nice option if possible! |
|
@stleary , here is an example of what the PR would look like if we created the |
|
@johnjaylward Your idea sounds like a good approach and probably the least disruptive of the options. What do you think this would look like in the Maven repo? |
|
Should add the point releases under the java 8 releases in Maven it should show:
|
@stleary When can we expect backport for 20230618 ? I think @johnjaylward approach sounds ok |
|
@nathan454 Are you working on the same project as @lhazlewood, or is this a new request? |
new request |
Why is there a requirement for Java 7? Is this for older Android support, or some other reason? |
|
Hi @johnjaylward, |
|
20231013 should be the fixed version. we decided to NOT point release 20230618 at this time. |
|
@johnjaylward I have been thinking about that. Now that Hacktoberfest is over, is there any reason why we could not do a point release of |
|
I don't see an issue with it. Would just need to update the deployment yml to compile to java7 |
https://nvd.nist.gov/vuln/detail/CVE-2023-5072
GHSA-rm7j-f5g5-27vv
The text was updated successfully, but these errors were encountered: