Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Spring IO Platform 1.1.5+ on 5.0.x line #392

Closed
1 task done
kazuki43zoo opened this issue Nov 2, 2015 · 7 comments
Closed
1 task done

Update Spring IO Platform 1.1.5+ on 5.0.x line #392

kazuki43zoo opened this issue Nov 2, 2015 · 7 comments
Assignees
@btshimizukza
Labels
type: misc
Milestone
5.0.2

Comments

@kazuki43zoo
Copy link
Contributor

Description

Fix http://pivotal.io/security/cve-2015-5211.
https://jira.spring.io/browse/SPR-13656

Possible Solutions

Update spring version.

Note:
We will consider whether applying Spring IO Platform 1.1.5+.
But if no new IOPF is released, we override Spring version by ourselves.

Affects Version/s

  • 5.0.0.RELEASE - 5.0.1.RELEASE

Fix Version/s

  • 5.0.2

Issue Links
@kazuki43zoo kazuki43zoo added this to the 5.0.2 milestone Nov 2, 2015
@kazuki43zoo
Copy link
Contributor Author

Framework Stack

Library Name Spring IO Platform 1.1.3.RELEASE (gfw 5.0.1) Spring IO Platform 1.1.4.RELEASE Spring IO Platform 1.1.5.RELEASE Remarks
Spring Framework 4.1.7.RELEASE _4.1.8.RELEASE_ _4.1.9.RELEASE_ Required, updated at 12/18
Spring Security 3.2.7.RELEASE 3.2.8.RELEASE 3.2.9.RELEASE updated at 12/14
Spring Data Commons 1.9.3.RELEASE 1.9.4.RELEASE -
Spring Data JPA 1.7.3.RELEASE 1.7.4.RELEASE -
Spring Boot 1.2.5.RELEASE 1.2.7.RELEASE 1.2.8.RELEASE Use only for dependency management, updated at 12/18
AspectJ 1.8.6 1.8.7 -
Hibernate ORM 4.3.10.Final 4.3.11.Final -
Apache Commons Collection 3.2.1 - _3.2.2_ added at 12/14
SLF4J 1.7.12 - 1.7.13 added at 12/14

Others (test scope or provided scope)

Library Name Spring IO Platform 1.1.3.RELEASE (gfw 5.0.1) Spring IO Platform 1.1.4.RELEASE Spring IO Platform 1.1.5.RELEASE Remarks
Tomcat 7.0.59 7.0.64 7.0.67 Updated at 12/18
Mockito 1.10.8 1.10.19 -

@kazuki43zoo
Copy link
Contributor Author

Related bug will be fix at next release (4.1.9).
https://jira.spring.io/browse/SPR-13629

@ikeyat ikeyat mentioned this issue Dec 14, 2015
Closed
1 task
@ikeyat
Copy link
Contributor

ikeyat commented Dec 14, 2015

Another vulnerability like commons-collections was found in Spring 4 and fixed in 4.1.9.
https://jira.spring.io/browse/SPR-13656

We must adopt 4.1.9 for next 5.0.2.RELEASE. (I fixed the subject of this issue)

@ikeyat ikeyat changed the title Update Spring 4.1.8+ on 5.0.x line Update Spring 4.1.9+ on 5.0.x line Dec 14, 2015
@ikeyat
Copy link
Contributor

ikeyat commented Dec 14, 2015

Keep eyes on IO Platform 1.1.5.
http://docs.spring.io/platform/docs/1.1.5.BUILD-SNAPSHOT/reference/htmlsingle/#appendix-dependency-versions

@making
Copy link
Contributor

making commented Dec 17, 2015

https://spring.io/blog/2015/12/17/spring-framework-4-2-4-4-1-9-released
4.1.9 has been released.

@kazuki43zoo
Copy link
Contributor Author

Spring IO Platform 1.1.5.RELEASE has been released.
http://spring.io/blog/2015/12/18/spring-io-platform-1-1-5-release

@ikeyat
Copy link
Contributor

ikeyat commented Dec 19, 2015

Spring IO Platform 1.1.5.RELEASE includes Apache Commons Collection 3.2.2 whose vulnerability was fixed.
We can resolve #444 with this issue for 5.0.x line.

@ikeyat ikeyat changed the title Update Spring 4.1.9+ on 5.0.x line Update Spring IO Platform 1.1.5+ on 5.0.x line Dec 19, 2015
kazuki43zoo added a commit that referenced this issue Dec 19, 2015
@kazuki43zoo
Update to Spring IO Platform 1.1.5 #392
291742b 
* Apply fix version for CVE-2015-5211
* Apply fix version for COLLECTIONS-580
@kazuki43zoo kazuki43zoo mentioned this issue Dec 19, 2015
Merged
ikeyat added a commit that referenced this issue Dec 19, 2015
@ikeyat
Merge pull request #452 from terasolunaorg/issues/392_spring-io-platf…
0faa644 
…orm-1.1.5

Update to Spring IO Platform 1.1.5 #392
@ikeyat ikeyat closed this as completed Dec 19, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@btshimizukza btshimizukza

Labels
type: misc
Projects
None yet
Milestone
5.0.2
Development

No branches or pull requests
4 participants
@making @kazuki43zoo @btshimizukza @ikeyat