From 62e921f5f821ece1eb89c7d3d47e4d6f32a70698 Mon Sep 17 00:00:00 2001 From: julianladisch Date: Tue, 5 Dec 2023 11:35:29 +0100 Subject: [PATCH] EDGOAIPMH-108: RMB 35.1.1, Vert.x 4.4.6 fixing Netty/Jackson DoS (#106) Upgrade RMB from the Orchid version 35.0.6 to the Poppy version 35.1.1. Upgrade Vert.x from 4.3.8 to 4.4.6. Versions 4.3.x have been out of support since March 2023. Upgrade log4j from 2.17.2 to 2.20.0. edge-common comes with 2.20.0 and we should not downgrade the version. The Vert.x upgrade indirectly upgrades Netty from 4.1.87.Final to 4.1.100.Final fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-44487 , https://nvd.nist.gov/vuln/detail/CVE-2023-34462 The RMB upgrade indirectly upgrades Jackson from 2.14.0 to 2.15.0 fixing Number Parse DoS: https://github.com/FasterXML/jackson-core/pull/827 (PRISMA-2023-0067) (cherry picked from commit 4341dd80f616215a104b443026c9137fb3d53aff) --- pom.xml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/pom.xml b/pom.xml index 1f6c644..3b46e8b 100644 --- a/pom.xml +++ b/pom.xml @@ -30,7 +30,7 @@ 17 - 35.0.6 + 35.1.1 UTF-8 0.14.0 @@ -45,8 +45,8 @@ 4.0.0 5.9.1 4.5.2 - 4.3.8 - 2.17.2 + 4.4.6 + 2.20.0 4.6.1 5.1.0 1.18.24 @@ -56,13 +56,6 @@ - - io.vertx - vertx-stack-depchain - ${vertx-stack-depchain.version} - pom - import - org.apache.logging.log4j log4j-bom @@ -70,6 +63,13 @@ import pom + + io.vertx + vertx-stack-depchain + ${vertx-stack-depchain.version} + pom + import +