[ https://issues.apache.org/jira/browse/GUACAMOLE-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711134#comment-17711134 ]
Mike Jumper commented on GUACAMOLE-1768: ---------------------------------------- [~kintaroju], if you have specific concerns, including anything noted above, please contact us privately via the secur...@guacamole.apache.org list. The public JIRA is not the place for security questions. See: https://guacamole.apache.org/security/ As for dependency updates: * Updates to webapp or extension dependencies are made through changes to the relevant {{pom.xml}} as part of a release. We routinely update dependencies to their latest compatible versions as part of each release cycle. Except in exceptional circumstances, we rely on third-party libraries to update their own transitive dependencies through their own release processes rather than override them ourselves and risk breakage. * Updates to system libraries and dependencies are made via the user's OS. In the case of the Docker images, there is a nightly rebuild process to pull in any updates from the base images. The latest webapp dependency update was GUACAMOLE-1763 for the 1.5.1 release that is currently underway. > Docker - Guacamole Vulnerability Updates > ---------------------------------------- > > Key: GUACAMOLE-1768 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-1768 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacd-docker > Affects Versions: 1.5.0 > Reporter: Jonathan Kwan > Priority: Major > > Hi, > > I was doing a synk vulnerability scan with "docker scan" to see what > vulnerabilities were in the docker image. I saw the below, and was inquiring > how the docker components get updated from a vulnerability perspective? > > Issues to fix by upgrading: > Upgrade com.fasterxml.woodstox:woodstox-core@5.2.1 to > com.fasterxml.woodstox:woodstox-core@5.4.0 to fix > ✗ Denial of Service (DoS) [Medium > Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135] > in com.fasterxml.woodstox:woodstox-core@5.2.1 > introduced by com.fasterxml.woodstox:woodstox-core@5.2.1 > ✗ XML External Entity (XXE) Injection [Critical > Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754] > in com.fasterxml.woodstox:woodstox-core@5.2.1 > introduced by com.fasterxml.woodstox:woodstox-core@5.2.1 > > The above is from the latest guacamole docker image. For guacd, there wasn't > anything shown at the moment. > > -- This message was sent by Atlassian Jira (v8.20.10#820010)