[
https://issues.apache.org/jira/browse/RANGER-3691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519673#comment-17519673
]
Ramesh Mani commented on RANGER-3691:
-------------------------------------
[~kirbyzhou] since this CVE
[https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
doesn't affect Ranger as ranger doesn't user Spring MVC or Spring WebFlux and
for the betterment of this we can do Apache Range 2.3 release where many bug
fixes are done on top of 2.2 release. We don't do twice the effort to release
this minor version just to upgrade the spring version. Let me know your opinion.
> Upgrade spring to 5.3.18 CVE-2022-22965
> ---------------------------------------
>
> Key: RANGER-3691
> URL: https://issues.apache.org/jira/browse/RANGER-3691
> Project: Ranger
> Issue Type: Bug
> Components: admin, kms
> Reporter: kirby zhou
> Assignee: kirby zhou
> Priority: Blocker
> Fix For: 3.0.0
>
>
> [https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
> [https://github.com/spring-projects/spring-framework/releases]
>
> Spring has a new 0day Remote-Code-Execution problem, related to spring-beans
> and JDK9+
> Fixed at spring 5.3.18 / 5.2.20
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
