Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: CVE-2023-6481 and CVE-2023-3635 #87

Merged
merged 4 commits into from
Jan 15, 2024
Merged

fix: CVE-2023-6481 and CVE-2023-3635 #87

merged 4 commits into from
Jan 15, 2024

Conversation

dvasunin
Copy link
Contributor

@dvasunin dvasunin commented Jan 5, 2024
edited
Loading

CVE-2023-6481 and CVE-2023-3635 fix

Why:

  • A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. (https://avd.aquasec.com/nvd/2023/cve-2023-6481/)
  • INCORRECT CONVERSION BETWEEN NUMERIC TYPES IN COM.SQUAREUP.OKIO:OKIO CVE-2023-3635

What:

  • The libraries were updated to the last unaffected version
  • IP was checked with dash-license-tool, no changes are detected

@dvasunin
Copy link
Contributor Author

dvasunin commented Jan 5, 2024

@Wulghash @amoldashwant please review

@amoldashwant
Copy link
Contributor

Looks good to me

@Wulghash
Copy link
Contributor

Wulghash commented Jan 8, 2024

PR looks fine to me, all good

@dvasunin dvasunin assigned dvasunin and almadigabor and unassigned dvasunin Jan 8, 2024
@dvasunin
Copy link
Contributor Author

dvasunin commented Jan 8, 2024

@almadigabor please approve and merge

@dvasunin
make versioning of transitive dependencies more explicit. Fix CVE-202…
e8af320 
…3-3635 in a transitive dependency by upgrading okio-jvm transitive library
@dvasunin
update DEPENDENCIES. Vetted license information was found for all con…
da69a31 
…tent. No further investigation is required.
@dvasunin dvasunin changed the title fix: CVE-2023-6481 in logback-core fix: CVE-2023-6481 in logback-core; fix: CVE-2023-3635 in okio-jvm Jan 11, 2024
@dvasunin dvasunin changed the title fix: CVE-2023-6481 in logback-core; fix: CVE-2023-3635 in okio-jvm fix: CVE-2023-6481 and CVE-2023-3635 Jan 11, 2024
SebastianBezold
SebastianBezold approved these changes Jan 15, 2024
View reviewed changes
Copy link
Contributor

@SebastianBezold SebastianBezold left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@SebastianBezold SebastianBezold merged commit 6f303c2 into eclipse-tractusx:main Jan 15, 2024
2 checks passed
@SebastianBezold SebastianBezold deleted the CVE-2023-6481-fix branch January 15, 2024 12:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SebastianBezold SebastianBezold SebastianBezold approved these changes

Assignees

@almadigabor almadigabor

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dvasunin @amoldashwant @Wulghash @SebastianBezold @almadigabor