Closed tomaskodaj closed 3 months ago
Pinging @elastic/es-delivery (Team:Delivery)
Pinging @elastic/es-security (Team:Security)
@jakelandis do we need to bump some dependencies in 7.17?
We run scans internally and have evaluated all of these and they have all been mitigated or evaluated that we are not vulnerable. If you have a support contract we can provide our official statements on the related CVE's via the support portal (and there should be a self service search by CVE).
I am going to close this issue, but ping me if you have any follow up comments.
Description
Please would it be possible to bump java libs in next planned patch of 7.17?
Specifically: xmlsec-2.1.4.jar to 2.1.8+ nimbus-jose-jwt-9.23.jar to 9.37.3+ json-smart-2.4.10.jar to 2.4.11+ httpcore-4.4.12.jar / httpcore-nio-4.4.12.jar to 4.4.16+
Those used dependencies shows some CVEs findings in trivy free scanner...
We are rebuilding image with this docker file right now..
Thanks