Summary: | Virgo downloads include a vulnerable version of Spring | ||
---|---|---|---|
Product: | [RT] Virgo | Reporter: | Wayne Beaton <wayne.beaton> |
Component: | unknown | Assignee: | Florian Waibel <fwaibel> |
Status: | ASSIGNED --- | QA Contact: | |
Severity: | normal | ||
Priority: | P3 | CC: | fwaibel, joel.traber, security |
Version: | unspecified | Keywords: | security |
Target Milestone: | 3.7.0.RELEASE | ||
Hardware: | PC | ||
OS: | Linux | ||
Whiteboard: |
Description
Wayne Beaton
2017-01-10 13:21:49 EST
Yes, it is possible to update the Spring version. Currently it is up to the user to do so. The instructions are provided here: https://wiki.eclipse.org/Virgo/FAQ#How_can_I_change_the_version_of_Spring_framework_in_the_user_region.3F Yes, we plan to release a new version of Virgo with the latest Spring version. I'll raise this specific topic in our todays community meeting which is announced here: http://dev.eclipse.org/mhonarc/lists/virgo-dev/msg01749.html and already has some release related topics scheduled. We currently plan to release the next version (3.7) end of February. Due to our limited resources we are currently focussing on finally getting this release out of the door instead of updating libraries in the 3.6 stream. We started with the update of the Spring Framework: https://bugs.eclipse.org/bugs/show_bug.cgi?id=510305 Although we delivered the latest milestone with Spring Framework 4.2.9.RELEASE I do not resolve this issue but move it to the release milestone. Once 3.7.0 release is available from the download section I think we can resolve this issue. What is the status of this? FYI, vulnerability handing is now documented in the handbook. https://www.eclipse.org/projects/handbook/#vulnerability Thanks for the heads-up. Currently we have two releases on our Download site: 3.7.2 and 3.6.4 The 3.7.2 release contains a newer version of Spring Framework (4.3.9.RELEASE). At the time of writing the 4.3.x stream of the Spring Framework has reached version 4.3.24.RELEASE. We'll try to prepare a maintenance 3.7.3 with updated Spring Framework libraries while working on 3.8 which will contain Spring Framework 5.0.x or later. Regards, florian |