Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

APR library has security vulnerabilities #324

Open
ladenedge opened this issue Feb 1, 2024 · 2 comments
Open

APR library has security vulnerabilities #324

ladenedge opened this issue Feb 1, 2024 · 2 comments

Comments

@ladenedge
Copy link
Contributor

Hello. We recently started scanning our code with BlackDuck, a dependency analysis tool, and found that the version of the Apache Portable Runtime in use by UniMRCP has a number of high risk security vulnerabilities.

image

Are there any plans to upgrade these dependency libraries? (The latest APR, v1.7.4, shows no known vulnerabilities.)

If not, are there any known issues with later versions? Would a PR be appropriate for such an upgrade?

Thank you for your time!

@ladenedge
Copy link
Contributor Author

To follow up on this, running APR 1.5 is going to stop being an option for us by the end of this year. I'd like to try and update the APR libraries in the dependencies package myself (and submit them back to you, if you like). Are the patches used to create the dependencies libraries still out there? All the links to them in the old documentation appear to be dead. ☹️

Also, have you considered a fork to Github where the latest versions could be maintained?

Thanks again for your help!

@volga629-1
Copy link

In additional with version 1.5.4 impossible to maintain RPMS as example for deployments. APR 1.5.4 is required very old openssl version which contain unmaintained issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants