Version 2016.3-CE Vulnerabilities

Hi
we are using Orbeon Version 2016.3-CE and the security scan detected the
following vulnerabilities:

bouncycastle : bcprov-jdk14 1.4
https://www.cvedetails.com/vulnerability-list/vendor_id-7637/Bouncycastle.html

commons-beanutils : commons- beanutils : 1.8.3
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-33761/Apache-Commons-Beanutils.html"

commons-fileupload : commons- fileupload : 1.2.2  
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-24746/version_id-143023/Apache-Commons-Fileupload-1.2.2.html

jgroups : jgroups-all : 2.2.6 
https://www.cvedetails.com/vulnerability-list/vendor_id-12875/Jgroups.html

org.apache.httpcomponents : httpclient : 4.3.5
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-20943/Apache-Httpclient.html


org.apache.xmlgraphics : fop : 1.0
https://www.cvedetails.com/cve/CVE-2017-5661/


org.lucee : xml-xerces : 2.11.0 "
https://snyk.io/vuln/maven:xerces:xercesImpl

My Questions:
1. I checked latest Version (2018.1-CE), only the Version of the library
commons-fileupload has been changed. Are you planning to replace other
libraries as well?
2. Is Orbeon affected from those vulnerabilities?

Thanks in advance,
Kostas

--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

Hi Kostas,

The answer to your second question is "most likely not", but it is often
simpler to just upgrade the libraries than to figure out exactly what the
vulnerability is, and why it can't be exploited the way the library is used.


We regularly upgrade libraries, so we'll review the CVEs you mentioned, and
upgrade the relevant libraries if necessary. We generally put those changes
in point releases for Orbeon Forms PE, but you'll most likely have to wait
for the 2019.1 release to get this in an official Orbeon Forms CE release.

‑Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

For reference, we have entered an issue to cover this:

    https://github.com/orbeon/orbeon-forms/issues/4033

-Erik

--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].