Project

General

Profile

Actions

Bug #24606

closed

Upgrade postgresql since CVE-2024-1597 and ignore other JS CVEs

Added by Clark ANDRIANASOLO 9 months ago. Updated 9 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Trivial - no functional impact | cosmetic
UX impact:
User visibility:
Effort required:
Very Small
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

When running dependency checks :


[2024-03-27T16:17:11.576Z] icu4j-23.1.1.jar (pkg:maven/org.graalvm.shadowed/icu4j@23.1.1, cpe:2.3:a:icu-project:international_components_for_unicode:23.1.1:*:*:*:*:*:*:*, cpe:2.3:a:unicode:international_components_for_unicode:23.1.1:*:*:*:*:*:*:*, cpe:2.3:a:unicode:unicode:23.1.1:*:*:*:*:*:*:*) : CVE-2017-15396, CVE-2017-15422, CVE-2020-21913

[2024-03-27T16:17:11.576Z] lift-webkit_2.13-3.5.0.jar: ext-core-debug.js (pkg:javascript/ExtJS@3.1.0) : CVE-2010-4207, CVE-2012-5881

[2024-03-27T16:17:11.576Z] lift-webkit_2.13-3.5.0.jar: jquery-1.3.2.js (pkg:javascript/jquery@1.3.2) : jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates

[2024-03-27T16:17:11.576Z] lift-webkit_2.13-3.5.0.jar: jquery-1.4.4.js (pkg:javascript/jquery@1.4.4) : jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates

[2024-03-27T16:17:11.577Z] postgresql-42.7.0.jar (pkg:maven/org.postgresql/postgresql@42.7.0, cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.7.0:*:*:*:*:*:*:*) : CVE-2024-1597

The only potential issue is the one with postgresql which could be unsafe if the PreferQueryMode JDBC option is changed.

We should upgrade to avoid being reported and risking this vulnerability.

Actions #1

Updated by Clark ANDRIANASOLO 9 months ago

  • Status changed from New to In progress
Actions #2

Updated by Clark ANDRIANASOLO 9 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Clark ANDRIANASOLO to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder/pull/5545
Actions #3

Updated by Clark ANDRIANASOLO 9 months ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by Vincent MEMBRÉ 9 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 8.1.0~rc1 which was released today.

Actions

Also available in: Atom PDF