510211 – Virgo downloads include a vulnerable version of Spring

Bug 510211 - Virgo downloads include a vulnerable version of Spring

Summary: Virgo downloads include a vulnerable version of Spring

Status:	ASSIGNED

Alias:	None

Product:	Virgo
Classification:	RT
Component:	unknown (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P3 normal (vote)
Target Milestone:	3.7.0.RELEASE
Assignee:	Florian Waibel
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2017-01-10 13:21 EST by Wayne Beaton
Modified:	2020-01-20 10:05 EST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wayne Beaton

2017-01-10 13:21:49 EST

Received via the EMO inbox

--
The latest Virgo version which is available on your Official Download link is 3.6.4. This version is using an older version of Spring (3.1.0, Ref 1, 2) which is vulnerable.

We could see the latest minor Virgo version available on your website is 3.7.0 which is not yet available on your official download link. 3.7.0 is using spring 4.2.4 (vulnerable). Latest version of Spring in 4.2.x series is 4.2.9


Can you please let us know if it is possible to update the Spring version in the older version of Virgo i.e. 3.6.4?


Do you have any plans to release the new version of Virgo with the latest Spring version. If yes then can you please provide some more details around the expected timeline and the version?

[1] http://www.eclipse.org/virgo/download/release-notes/3.6.4.RELEASE.php
[2] http://wiki.eclipse.org/Virgo/Future#Release_Branding
--

Comment 1 Florian Waibel

2017-01-11 04:02:20 EST

Yes, it is possible to update the Spring version. Currently it is up to the user to do so. The instructions are provided here: https://wiki.eclipse.org/Virgo/FAQ#How_can_I_change_the_version_of_Spring_framework_in_the_user_region.3F

Yes, we plan to release a new version of Virgo with the latest Spring version.

I'll raise this specific topic in our todays community meeting which is announced here: http://dev.eclipse.org/mhonarc/lists/virgo-dev/msg01749.html
and already has some release related topics scheduled.

We currently plan to release the next version (3.7) end of February.

Due to our limited resources we are currently focussing on finally getting this release out of the door instead of updating libraries in the 3.6 stream.

Comment 2 Florian Waibel

2017-01-19 07:36:48 EST

We started with the update of the Spring Framework:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=510305

Comment 3 Florian Waibel

2017-02-04 06:43:03 EST

Although we delivered the latest milestone with Spring Framework 4.2.9.RELEASE I do not resolve this issue but move it to the release milestone.
Once 3.7.0 release is available from the download section I think we can resolve this issue.

Comment 4 Wayne Beaton

2019-05-14 14:08:43 EDT

What is the status of this?

FYI, vulnerability handing is now documented in the handbook.

https://www.eclipse.org/projects/handbook/#vulnerability

Comment 5 Florian Waibel

2019-05-15 00:53:26 EDT

Thanks for the heads-up.

Currently we have two releases on our Download site:

3.7.2 and 3.6.4

The 3.7.2 release contains a newer version of Spring Framework (4.3.9.RELEASE).

At the time of writing the 4.3.x stream of the Spring Framework has reached version 4.3.24.RELEASE.

We'll try to prepare a maintenance 3.7.3 with updated Spring Framework libraries while working on 3.8 which will contain Spring Framework 5.0.x or later.

Regards,
  florian