Timeframe for CVE-2023-22102 resolution?

jruby / activerecord-jdbc-adapter

JRuby's ActiveRecord adapter using JDBC.

BSD 2-Clause "Simplified" License

461 stars 385 forks source link

Timeframe for CVE-2023-22102 resolution? #1162

Closed headius closed 4 weeks ago

headius commented 4 weeks ago

Discussed in https://github.com/jruby/activerecord-jdbc-adapter/discussions/1161

^{Originally posted by **atziatzios-ccycloud** October 29, 2024} Hi. I just wanted to highlight an already raised issue (https://nvd.nist.gov/vuln/detail/CVE-2023-22102) with the mysql adapter version in use in the latest release. How complex/problematic is an update to a non vulnerable version of the adapter? Thanks to anyone taking the time to answer.

headius commented 4 weeks ago

I have released jdbc-mysql-8.2.0.1 (smallest update to avoid CVE, based on 8.2.0 but I botched the first attempt), jdbc-mysql-8.4.0 (last in 8.x series), and jdbc-mysql-9.1.0 (latest overall).