feat: 修复第三方组件安全漏洞202412 #3326 #3386
Merged
+68
−33
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
micrometer-registry-prometheus与springboot不兼容
测试用例不通过,升级snakeyaml,Constructor构造方法不兼容
postProcessRelease报错
jsonwan
reviewed
Jan 20, 2025
src/backend/build.gradle
Outdated
| // Fix CVE-2023-44487 | ||
| set('tomcat.version', "9.0.90") | ||
| // Fix CVE-2023-44487, CVE-2024-52316 | ||
| set('tomcat.version', "9.0.96") |
There was a problem hiding this comment.
xx.xx变量是Spring Boot内置的版本号变量,已添加注释
jsonwan
reviewed
Jan 20, 2025
src/backend/build.gradle
Outdated
| // Fix CVE-2023-44981,CVE-2024-23944 3.7.1->3.8.4 | ||
| set('zookeeperVersion', "3.8.4") | ||
| // Fix CVE-2022-41854 CVE-2022-38752 CVE-2022-38751 CVE-2022-38749 CVE-2022-25857 CVE-2022-1471 1.29->1.33 | ||
| set('snakeyaml.version', "2.0") |
There was a problem hiding this comment.
xx.xx变量是Spring Boot内置的版本号变量,已添加注释
jsonwan
reviewed
Jan 20, 2025
| // Fix CVE-2023-4759 5.13.1.202206130422-r->6.6.1.202309021850-r | ||
| set('jgitVersion', "6.6.1.202309021850-r") | ||
| // Fix CVE-2023-22102 8.0.33->8.2.0 | ||
| set('mysql.version', "8.2.0") |
There was a problem hiding this comment.
xx.xx变量是Spring Boot内置的版本号变量,已添加注释
jsonwan
approved these changes
Jan 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CVE-2023-44981: zookeep:3.7.1升级到3.8.4
CVE-2023-20873: springboot:2.6.13升级到2.7.11
CVE-2022-1471:snakeyaml:1.29升到2.0(依赖spring-boot版本2.7.10+或3.x)
CVE-2023-3635:okio:2.8.0升到3.4.0
CVE-2023-34062:reactor-netty-http:1.0.24升到1.0.39(同步升级reactor-netty-core)
CVE-2023-44487: netty-codec-http2:4.1.84.Final升到4.1.100.Final
CVE-2021-0341:okhttp:4.9.1升到4.9.2
CVE-2023-46120:amqp-client:5.13.1升到5.18.0
CVE-2021-29425:commons-io:2.6升到2.14.0
CVE-2023-2976:guava:28.2-jre升到32.0.0-android
CVE-2023-4759:jgit:5.13.1.202206130422-r升到6.6.1.202309021850-r
CVE-2023-34054:reactor-netty-http:1.0.24-升到1.0.39
CVE-2024-22243:spring-web:5.3.23升到5.3.39
CVE-2022-25857:snakeyaml:1.29升到2.0(依赖spring-boot版本2.7.10+或3.x)
CVE-2023-46589:tomcat:9.0.90升到9.0.96
CVE-2023-6378:logback:1.2.11升到1.2.13
CVE-2023-22102: mysql-connector-j:8.0.33升到8.2.0
CVE-2019-10086:不用修复,commons-beanutils:1.9.4没漏洞
CVE-2019-17495:不用修复,springfox-swagger-ui:3.0.0没漏洞
CVE-2022-22965:不用修复,spring-webflux:5.3.23没漏洞
springboot2.7.x移除了mysql-connector-java依赖,使用mysql-connector-j
micrometer-registry-prometheus:1.5.1与springboot:2.7.11不兼容(PrometheusMeterRegistry构造方法增加了exemplarSamplerProvider参数,移除显式配置的依赖,https://github.com/spring-projects/spring-boot/blob/2.7.x/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/metrics/export/prometheus/PrometheusMetricsExportAutoConfiguration.java)
CVE-2016-1000027: spring-web从5.x升级到6.x需要依赖jdk17,暂不升级,JOB没使用到该漏洞特性(漏洞详情:https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525)