Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] Update 3rd party dependencies to get rid of all currently known CVE issues #507

Closed
rover886 opened this issue Apr 25, 2024 · 2 comments
Closed

[security] Update 3rd party dependencies to get rid of all currently known CVE issues #507

rover886 opened this issue Apr 25, 2024 · 2 comments
Labels
dependencies Pull requests that update a dependency file maintenance Priority-Medium security
Milestone
8.9.0

Comments

@rover886
Copy link
Contributor

rover886 commented Apr 25, 2024
edited by bbottema
Loading

Hijacking this issue as placeholder for security upgrade.

original text:

The smime-module has dependency on utils-mail-smime and it has dependency on bcjmail-jdk15to18 along with further transitive dependencies from Bouncy Castle.

From your this comment @bbottema I come to know that you are in process of updating 3rd party dependencies, hence consider a suggestion of using bcjmail-jdk18on instead of bcjmail-jdk15to18 as simple-java-mail is compatible from JDK8+.

Also, bc*-jdk15to18 JARs are designed to be compatible with JDK versions 1.5 through 1.8, where on other hand bc*-jdk18on are designed to be compatible with JDK 1.8 and later versions. So it makes sense, isn't it? even the https://bouncycastle.org/latest_releases.html also says the same.

Please ignore if you have already considered this :)
@bbottema bbottema reopened this Apr 26, 2024
@bbottema bbottema changed the title Not an issue but a suggestion - Use bcjmail-jdk18on instead of bcjmail-jdk15to18 [security] Update 3rd party dependencies to get rid of all currently known CVE issues Apr 26, 2024
Repository owner deleted a comment from rover886 Apr 26, 2024
@bbottema
Copy link
Owner

bbottema commented Apr 26, 2024
edited
Loading

Changes:

Dependencies:

  • Spring 5.3.27 -> 5.3.34
  • Spring Boot 2.5.15 -> 2.7.18
  • commons-io 2.7 -> 2.11.0
  • utils-mail-smime 2.3.1 -> 2.3.3
    • org.bouncycastle:bcjmail-jdk15to18 1.75 -> org.bouncycastle:bcjmail-jdk18on 1.78.1
  • ical4j 2.2.4 -> ical4j-vcard 2.0.0-beta2

Other:

  • Junit 4 -> Junit 5 (including Mockito, AssertJ and got rid of Powermock)
  • maven-surefire-plugin 2.19.1 -> 3.2.5

@bbottema bbottema added this to the 8.9.0 milestone Apr 26, 2024
@bbottema
Copy link
Owner

v8.9.0 was released to Maven Central!

@bbottema bbottema mentioned this issue Apr 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file maintenance Priority-Medium security
Projects
None yet
Milestone
8.9.0
Development

No branches or pull requests
2 participants
@bbottema @rover886