Hi, Roman.
Vulnerable Spring Boot is used in Ignite extensions. AI 2.13 releases
ignite-parent that will be used for extensions to share versions. I
will cherry-pick the patch.
Thank you.
пн, 18 апр. 2022 г. в 15:00, Roman Puchkovskiy :
>
> Hi Igniters.
>
> A fix for CVE-2022-22965 [1]
Hi Igniters.
A fix for CVE-2022-22965 [1] vulnerability was merged to master branch
recently, Jira issue is [2].
I'm not sure whether this is a blocker, but the vulnerability seems to
be pretty bad.
Should it be cherry-picked to release 2.13?
[1] -
Hello Roman,
+1 to your suggestion.
If you need any help with a review, please let me know.
On Mon, 18 Apr 2022 at 13:17, Roman Puchkovskiy
wrote:
>
> Hi guys.
>
> This thread has been hanging for quite some time (no pun intended).
> While it was hanging, CVE-2022-22965 [1] was discovered which
Hi guys.
This thread has been hanging for quite some time (no pun intended).
While it was hanging, CVE-2022-22965 [1] was discovered which makes it
extremely dangerous to have vulnerable versions of Spring as
dependencies.
As discussed, ignite-extensions has 3 versions of spring-data