Red5-client is dependent on vulnerable version of mina-core

[rawler]

Details can be seen on https://mvnrepository.com/artifact/org.red5/red5-client/1.2.12

Tried to patch it up myself, but failed to understand what controls ${mina.version} in pom.xml.

[mondain]

@rawler the versions will normally be found in the properties section of the current pom or in the parent pom (see red5-parent). Also the CVE linked does not affect Red5 since we do not use Mina for HTTP requests; the only way it could possibly be exploited is with a specially crafted RTMPT client, if one was so inclined.

[rawler]

Good point R.E. not applicable to red5-client. Any good reason to not bump dependency to fixed version? (2.1.5)

[mondain]

If there was a road map, I'd say that's on there, but in actuality I haven't taken it on yet.