[
https://issues.apache.org/jira/browse/TINKERPOP-2677?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ken Hu updated TINKERPOP-2677:
------------------------------
Fix Version/s: 3.7.0
> Upgrade to Groovy 3.x to fix XStream security vulnerability
> -----------------------------------------------------------
>
> Key: TINKERPOP-2677
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2677
> Project: TinkerPop
> Issue Type: Bug
> Components: groovy
> Affects Versions: 3.6.0, 3.5.2
> Reporter: Divij Vaidya
> Priority: Major
> Fix For: 3.7.0
>
>
> XStream has a number of documented vulnerabilities as specified in
> [https://x-stream.github.io/security.html] which are fixed in 1.4.18. Note
> that 1.4.18 is not backport compatible since it uses a new whitelisting
> approach for serialization.
> TinkerPop has a dependency on XStream via: [1]
> TinkerPop -> Groovy 2.5.x -> XStream 1.4.10
> However, Groovy 2.5.x series does not consume the version of XStream (1.4.18)
> which contains the fixes for the vulnerabilities [2] but Groovy 3.x uses
> XStream (1.4.18) which has the fixes for vulnerabilities.
> Hence, either we convince the Groovy project to backport the vulnerability
> fixes to 2.5.x series or we upgrade Groovy to 3.x for TinkerPop.
> IMO, upgrading TP to use Groovy 3.x might be much easier.
> [1] https://github.com/apache/tinkerpop/blob/master/pom.xml#L162
> [2]https://github.com/apache/groovy/blob/GROOVY_2_5_X/build.gradle#L165
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
