Skip to content

Commit 4c461c4

Browse files
tobiastobias
committed
Address CVEs
- CVE-2024-6763: addressed by upgrading ring to 1.13.0, which upgraded jetty from 11.0.20 to 11.0.24 - CVE-2024-8184: suppressed, as it doesn't impact our usage of jetty - CVE-2024-45772: suppressed, as it doesn't impact our usage of lucene
1 parent 4dc6451 commit 4c461c4

File tree

2 files changed

+23
-4
lines changed

2 files changed

+23
-4
lines changed

.nvd-suppressions.xml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
2727
<cve>CVE-2022-1471</cve>
2828
</suppress>
29+
2930
<suppress>
3031
<notes><![CDATA[
3132
This CVE only impacts programs using Clojure < 1.9.0, and gets reported for any jar
@@ -35,4 +36,22 @@
3536
<cve>CVE-2017-20189</cve>
3637
</suppress>
3738

39+
<suppress>
40+
<notes><![CDATA[
41+
This CVE only impacts usage of Jetty's HttpURI directly, and we don't use it. We can't
42+
upgrade to get rid of this CVE as it requires upgrading to Jetty 12, which ring does not
43+
yet support (we are are 11 currently).
44+
]]></notes>
45+
<cve>CVE-2024-6763</cve>
46+
</suppress>
47+
48+
<suppress>
49+
<notes><![CDATA[
50+
This CVE only impacts projects using http replication, which we don't do. We can't
51+
upgrade to get rid of this CVE without rebuilding our indexing code, as it requires
52+
upgrading to Lucene 9 (we are on 8 currently).
53+
]]></notes>
54+
<cve>CVE-2024-45772</cve>
55+
</suppress>
56+
3857
</suppressions>

deps.edn

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -52,9 +52,9 @@
5252
org.apache.xmlgraphics/batik-dom
5353
org.apache.xmlgraphics/batik-svggen]}
5454
org.apache.commons/commons-email {:mvn/version "1.5"}
55-
org.apache.lucene/lucene-core {:mvn/version "8.11.1"}
56-
org.apache.lucene/lucene-analyzers-common {:mvn/version "8.11.1"}
57-
org.apache.lucene/lucene-queryparser {:mvn/version "8.11.1"}
55+
org.apache.lucene/lucene-core {:mvn/version "8.11.4"}
56+
org.apache.lucene/lucene-analyzers-common {:mvn/version "8.11.4"}
57+
org.apache.lucene/lucene-queryparser {:mvn/version "8.11.4"}
5858
org.apache.maven/maven-model {:mvn/version "3.8.4"}
5959
org.apache.maven/maven-repository-metadata {:mvn/version "3.8.4"}
6060
;; Override bouncycastle brought in by buddy-core to address CVE-2024-29857,
@@ -77,7 +77,7 @@
7777
ring/ring-core {:mvn/version "1.12.1"}
7878
ring/ring-defaults {:mvn/version "0.5.0"}
7979
;; Audit clojars.ring-servlet-patch if updating this version!
80-
ring/ring-jetty-adapter {:mvn/version "1.12.1"}
80+
ring/ring-jetty-adapter {:mvn/version "1.13.0"}
8181
ring-jetty-component/ring-jetty-component {:mvn/version "0.3.1"}
8282
ring-middleware-format/ring-middleware-format {:mvn/version "0.7.5"}
8383

0 commit comments

Comments
 (0)