Bug #24606: Upgrade postgresql since CVE-2024-1597 and ignore other JS CVEs - Rudder - Issue Tracker

Actions

Copy link

Bug #24606

closed

Upgrade postgresql since CVE-2024-1597 and ignore other JS CVEs

Added by Clark ANDRIANASOLO about 1 month ago. Updated 19 days ago.

Status:

Released

Priority:

N/A

Assignee:

Alexis Mousset

Category:

Security

Target version:

8.1.0~rc1

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

Trivial - no functional impact | cosmetic

UX impact:

User visibility:

Effort required:

Very Small

Priority:

Name check:

To do

Fix check:

To do

Regression:

Description

When running dependency checks :


[2024-03-27T16:17:11.576Z] icu4j-23.1.1.jar (pkg:maven/org.graalvm.shadowed/icu4j@23.1.1, cpe:2.3:a:icu-project:international_components_for_unicode:23.1.1:*:*:*:*:*:*:*, cpe:2.3:a:unicode:international_components_for_unicode:23.1.1:*:*:*:*:*:*:*, cpe:2.3:a:unicode:unicode:23.1.1:*:*:*:*:*:*:*) : CVE-2017-15396, CVE-2017-15422, CVE-2020-21913

[2024-03-27T16:17:11.576Z] lift-webkit_2.13-3.5.0.jar: ext-core-debug.js (pkg:javascript/ExtJS@3.1.0) : CVE-2010-4207, CVE-2012-5881

[2024-03-27T16:17:11.576Z] lift-webkit_2.13-3.5.0.jar: jquery-1.3.2.js (pkg:javascript/jquery@1.3.2) : jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates

[2024-03-27T16:17:11.576Z] lift-webkit_2.13-3.5.0.jar: jquery-1.4.4.js (pkg:javascript/jquery@1.4.4) : jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates

[2024-03-27T16:17:11.577Z] postgresql-42.7.0.jar (pkg:maven/org.postgresql/postgresql@42.7.0, cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.7.0:*:*:*:*:*:*:*) : CVE-2024-1597

The only potential issue is the one with postgresql which could be unsafe if the PreferQueryMode JDBC option is changed.

We should upgrade to avoid being reported and risking this vulnerability.