[jira] [Commented] (GUACAMOLE-1768) Docker - Guacamole Vulnerability Updates

Tue, 11 Apr 2023 15:34:10 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711134#comment-17711134
 ] 

Mike Jumper commented on GUACAMOLE-1768:
----------------------------------------

[~kintaroju], if you have specific concerns, including anything noted above, 
please contact us privately via the secur...@guacamole.apache.org list. The 
public JIRA is not the place for security questions.

See: https://guacamole.apache.org/security/

As for dependency updates:

* Updates to webapp or extension dependencies are made through changes to the 
relevant {{pom.xml}} as part of a release. We routinely update dependencies to 
their latest compatible versions as part of each release cycle. Except in 
exceptional circumstances, we rely on third-party libraries to update their own 
transitive dependencies through their own release processes rather than 
override them ourselves and risk breakage.
* Updates to system libraries and dependencies are made via the user's OS. In 
the case of the Docker images, there is a nightly rebuild process to pull in 
any updates from the base images.

The latest webapp dependency update was GUACAMOLE-1763 for the 1.5.1 release 
that is currently underway.

> Docker - Guacamole Vulnerability Updates
> ----------------------------------------
>
>                 Key: GUACAMOLE-1768
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1768
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole, guacd-docker
>    Affects Versions: 1.5.0
>            Reporter: Jonathan Kwan
>            Priority: Major
>
> Hi,
>  
> I was doing a synk vulnerability scan with "docker scan" to see what 
> vulnerabilities were in the docker image. I saw the below, and was inquiring 
> how the docker components get updated from a vulnerability perspective?
>  
> Issues to fix by upgrading:
>   Upgrade com.fasterxml.woodstox:woodstox-core@5.2.1 to 
> com.fasterxml.woodstox:woodstox-core@5.4.0 to fix
>   ✗ Denial of Service (DoS) [Medium 
> Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135]
>  in com.fasterxml.woodstox:woodstox-core@5.2.1
>     introduced by com.fasterxml.woodstox:woodstox-core@5.2.1
>   ✗ XML External Entity (XXE) Injection [Critical 
> Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754]
>  in com.fasterxml.woodstox:woodstox-core@5.2.1
>     introduced by com.fasterxml.woodstox:woodstox-core@5.2.1
>  
> The above is from the latest guacamole docker image. For guacd, there wasn't 
> anything shown at the moment.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to