Skip to content

Upgrade to Commons Compress 1.25.0 #39148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MohammadIqbalAD opened this issue Jan 16, 2024 · 4 comments
Closed

Upgrade to Commons Compress 1.25.0 #39148

MohammadIqbalAD opened this issue Jan 16, 2024 · 4 comments
Assignees
@wilkinsona
Labels
status: declined A suggestion or change that we don't feel we should currently apply type: task A general task

Comments

@MohammadIqbalAD
Copy link

No description provided.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 16, 2024
@wilkinsona
Copy link
Member

What are you looking for here? Spring Boot doesn't manage the version of Commons Compress used by an application so it's not clear why you've made this request. We do manage the version of Commons Compress for use by our build plugins but its usage there is not vulnerable to CVE-2023-42503 as it isn't exposed to untrusted tar input.

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Jan 16, 2024
@MohammadIqbalAD
Copy link
Author

Thanks for the quick reply.

This CVE was raised by Dependabot and Spring Boot was identified as having the affected Commons Compress version. This ticket was created using a similar format to previous requests for Commons Compress version updates, with the additional reference to the CVE.

Your confirmation of its innocuousness in this context means we'll just ignore the warning :).

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 18, 2024
@wilkinsona wilkinsona changed the title CVE-2023-42503 - Upgrade to Commons Compress 1.24.0 Upgrade to Commons Compress 1.24.0 Jan 18, 2024
@wilkinsona wilkinsona added this to the 3.1.x milestone Jan 18, 2024
@wilkinsona wilkinsona added type: task A general task and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Jan 18, 2024
darkmastermindz added a commit to darkmastermindz/spring-boot that referenced this issue Jan 26, 2024
@darkmastermindz
Upgrade to Commons Compress 1.23.0
6a306e2 
Closes spring-projectsgh-39148
Resolves spring-projectsgh-39311
darkmastermindz added a commit to darkmastermindz/spring-boot that referenced this issue Jan 26, 2024
@darkmastermindz
Upgrade to Commons Compress 1.25.0
77250c2 
Closes spring-projectsgh-39148
Resolves spring-projectsgh-39311
@darkmastermindz darkmastermindz mentioned this issue Jan 26, 2024
Closed
@wilkinsona wilkinsona changed the title Upgrade to Commons Compress 1.24.0 Upgrade to Commons Compress 1.25.0 Jan 30, 2024
@wilkinsona wilkinsona self-assigned this Jan 30, 2024
@wilkinsona
Copy link
Member

spring-boot-buildpack-platform has a hardcoded version (1.19). We'll need to investigate if that's still needed and, ideally, remove it.

@wilkinsona wilkinsona mentioned this issue Jan 30, 2024
Closed
@wilkinsona wilkinsona modified the milestones: 3.1.x, 3.1.9 Jan 30, 2024
@wilkinsona wilkinsona added the for: team-meeting An issue we'd like to discuss as a team to make progress label Jan 31, 2024
@wilkinsona
Copy link
Member

wilkinsona commented Jan 31, 2024
edited
Loading

We're going to revert this change in 3.1.x and 3.2.x as it's not as internal as we'd hoped. For example, @onobc had to modify his build to accommodate the upgrade due to a version clash with an Artifactory-related dependency in project's buildSrc

@wilkinsona wilkinsona removed the for: team-meeting An issue we'd like to discuss as a team to make progress label Jan 31, 2024
@wilkinsona wilkinsona removed this from the 3.1.9 milestone Jan 31, 2024
@wilkinsona wilkinsona added the status: declined A suggestion or change that we don't feel we should currently apply label Jan 31, 2024
wilkinsona added a commit that referenced this issue Jan 31, 2024
@wilkinsona
Revert "Upgrade to Commons Compress 1.25.0"
dd082c6 
This reverts commit 1c2a622.

See gh-39148
@onobc onobc mentioned this issue Feb 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wilkinsona wilkinsona

Labels
status: declined A suggestion or change that we don't feel we should currently apply type: task A general task
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade to Commons Compress 1.25.0 darkmastermindz/spring-boot
3 participants
@wilkinsona @spring-projects-issues @MohammadIqbalAD