Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick CVEs fixes and javadoc upgrade #231

Merged
merged 3 commits into from
Jul 4, 2023
Merged

Cherry-pick CVEs fixes and javadoc upgrade #231

merged 3 commits into from
Jul 4, 2023

Conversation

ricardozanini
Copy link
Member

Many thanks for submitting your Pull Request ❤️!

What this PR does / why we need it:
Cherry pick for:

Special notes for reviewers:
As soon as we merge this, we can release 4.0.4

Additional information (if needed):

manick02 and others added 3 commits July 3, 2023 18:29
@manick02 @ricardozanini
serverlessworkflow#193 fix CVE:Cx78f40514-81ff
1516638 
Signed-off-by: manick02 <manickavasagam.sundaram@gmail.com>
@ricardozanini
Fix serverlessworkflow#229 - Fix CVE-2017-5929, CVE-2020-15250, and C…
5310564 
…VE-2022-45688

Signed-off-by: Ricardo Zanini <zanini@redhat.com>
@ricardozanini
Ignore javadoc errors
a8e81da 
Signed-off-by: Ricardo Zanini <zanini@redhat.com>
@ricardozanini ricardozanini self-assigned this Jul 3, 2023
@ricardozanini ricardozanini added the security fix Security fix generated by WhiteSource label Jul 3, 2023
@ricardozanini ricardozanini merged commit f87a94b into serverlessworkflow:4.0.x Jul 4, 2023
3 checks passed
@ricardozanini ricardozanini deleted the cherry-pick-cve-4.0.3 branch July 4, 2023 10:47
@shahbaaz31here
Copy link

Hi Members,
The org.json dependency is detected with a vulnerability very recently which is being used in 4.0.4.Final :
https://mvnrepository.com/artifact/io.serverlessworkflow/serverlessworkflow-api/4.0.4.Final
It seems we have to upgrade the org.json dependency version to [20231013] to incorporate the fix as per https://mvnrepository.com/artifact/org.json/json releases.

Thought of starting a thread here so that it gets highlighted and addressed. Not really sure on the process, so curious to ask whether it'll be patched in the same version i.e 4.0.4.Final ?

@ricardozanini
Copy link
Member Author

ricardozanini commented Oct 24, 2023
edited

@shahbaaz31here please see #273. Can you try that PR on your end? I'm on the verge of releasing it, so more checks would be great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsurdilo tsurdilo tsurdilo approved these changes

Assignees

@ricardozanini ricardozanini

Labels
security fix Security fix generated by WhiteSource
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ricardozanini @shahbaaz31here @tsurdilo @manick02