Closed fbacchella closed 9 months ago
Ah, I see you had the same idea and also updated some dependencies. I have now merged my changes, as they went a little bit further. I did not update BouncyCastle since this is a case where there is an issue listed, but it exists in a component that is not in use in Gitblit, so it is not affected.
If you would like to still have BouncyCastle updated so it doesn't show up in a list, maybe you could rebase this PR on the current master. That should reduce the change to the BC update. If you have tested this to work well on your server, I am happy to merge it.
I didn’t knew that there is an issue, it should be handled before the version update if you think so.
After your fix:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bcprov-jdk15on 1.69 java-archive GHSA-hr8g-6v94-x4m9 Medium
httpclient 4.5.2 4.5.13 java-archive GHSA-7r82-7xv7-xcpj Medium
jdom 1.0 java-archive GHSA-2363-cqg2-863c High
org.eclipse.jgit 4.11.9.201909030838-r 6.6.1.202309021850-r java-archive GHSA-3p86-9955-h393 High
sshd-core 1.7.0 2.9.2 java-archive GHSA-fhw8-8j55-vwgq Critical
sshd-core 1.7.0 2.10.0 java-archive GHSA-mjmq-gwgm-5qhm Medium
There is only one critical vulnerability, and I’m afraid this one will be difficult to fix. I hope gitblit is not exposed. So my PR can be dropped.
No, I meant there is a CVE for BouncyCastle, but that is about a vulnerability. But that is only when you use BC with certificates stored in LDAP. Which Gitblit does not do, so this plays no role for Gitblit. Since BC is a vital component, updating it involves thorough testing. So I decided t skip this update.
Not all possible update are applied as some of them required API changes.
When running grype 0.71.0, it now returns: