-
Sub-task
-
Resolution: Done
-
Medium
-
Beijing Release
-
None
-
Beijing SO Sprint 2
- resteasy-jaxrs-2.3.2.Final.jar
- changed so/libs/openstack-client-connectors/resteasy-connector/pom.xml
- version change from 2.3.2.Final to 3.5.0.Final // 3.5.0.Final does not have security and license risk.
- Found 3.0.19.Final were used in so/libs, which has security alerts // should we change all to 3.5.0.Final?
- Httpclient-4.3.5.jar
- Changed so/libs/openstack-client-connectors/http-connector/pom.xml
- Version change from 4.3.5 to 4.5.5
- Commons-httpclient-3.1.jar
- Changed so/libs/openstack-client-connectors/resteasy-connector/pom.xml
- Changed RESTEasyConnector.java:
- Import org.apache.commons.httpclient.HttpStatus --> org.apache.http.HttpStatus
- Replaced commons-httpclient with httpclient-4.5.5 and httpcore-4.4.4
- Note: ./org.apache.http.annotation.Immutable has been removed from httpcore-4.4.9 for some thread-safe issues. So, I put httpcore-4.4.4 for now to make SO compliable.
- Jackson-mapper-asl-1.9.13.jar
- There is no non-vulnerable version. We need to build our own TypeResolverBuilder…
From the SO/libs code, I could not find use of default typing (e.g., setDefaultTyping, or default enums). So, it should be ok.
- relates to
-
SO-458 Resolve the critical vulnerabilities in the third party libraries of SO-libs
- Closed