Skip to content

Update to oauth2-oidc-sdk 9.43.5 #16582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jgrandja opened this issue Feb 12, 2025 · 4 comments
Closed

Update to oauth2-oidc-sdk 9.43.5 #16582

jgrandja opened this issue Feb 12, 2025 · 4 comments
Assignees
@jgrandja
Labels
type: dependency-upgrade A dependency upgrade
Milestone
6.3.7

Comments

@jgrandja
Copy link
Contributor

Update to oauth2-oidc-sdk 9.43.5
@jgrandja jgrandja added the type: dependency-upgrade A dependency upgrade label Feb 12, 2025
@jgrandja jgrandja added this to the 6.3.7 milestone Feb 12, 2025
@jgrandja jgrandja self-assigned this Feb 12, 2025
@jgrandja jgrandja mentioned this issue Feb 12, 2025
Closed
@jgrandja jgrandja mentioned this issue Feb 12, 2025
Closed
@gaussianrecurrence
Copy link

gaussianrecurrence commented Feb 12, 2025
edited
Loading

Hi,

I am experiencing the issue described here #16579. For now setting the json-smart version to 2.5.2 does the trick, but I was wondering if this commit was going to be ported to older versions like 5.8.x or is it going to be only available for 6.4.x ?

Thanks!

@jgrandja
Copy link
Contributor Author

@gaussianrecurrence

Yes, the oauth2-oidc-sdk dependency will be updated in 5.8.x and all other commercially supported branches.

See the support page for a list of OSS vs. Enterprise support.

@Nephery
Copy link

Nephery commented Feb 13, 2025
edited
Loading

Hi @jgrandja , I think you might want to upgrade to 9.43.6 instead of 9.43.5. According to their issue and the json-smart 2.5.2 release notes, it looks like 9.43.5 is still vulnerable to CVE-2024-57699

@sjohnr
Copy link
Contributor

sjohnr commented Feb 14, 2025

@Nephery thanks. This is handled normally with dependabot these days, and it looks like the upgrade already happened in time for the upcoming release.

Tejas-Teju pushed a commit to Tejas-Teju/spring-security that referenced this issue Feb 14, 2025
@jgrandja @Tejas-Teju
Update to oauth2-oidc-sdk 9.43.5
152a008 
Closes spring-projectsgh-16582
Tejas-Teju pushed a commit to Tejas-Teju/spring-security that referenced this issue Feb 14, 2025
@jgrandja @Tejas-Teju
Update to oauth2-oidc-sdk 9.43.5
1151ea2 
Closes spring-projectsgh-16582
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
type: dependency-upgrade A dependency upgrade
Projects
None yet
Milestone
6.3.7
Development

No branches or pull requests
4 participants
@gaussianrecurrence @sjohnr @jgrandja @Nephery