Request for the upgrade of packages to fix CVEs detected

[manukirola]

Description: Request for the upgrade of below packages in Wso2 Identity server version 6.0.0, as they are being reported as impacted by certain CVEs. Can you please confirm if below packages are already planned for upgrade in the upcoming releases. Or if a workaround fix is available to mitigate these.

Packages | Detected Package Version | Required Version org.apache.cxf_cxf-core | 3.5.3, 3.5.0 | fixed in 3.5.5, 3.4.10 org.apache.cxf_cxf-core | 3.5.3, 3.5.0 | fixed in 3.5.5, 3.4.10 com.hazelcast_hazelcast | 4.2.5 | fixed in 5.1.3, 5.0.4, 4.2.6,... org.yaml_snakeyaml | 1.26 | fixed in 1.31 com.fasterxml.jackson.core_jackson-databind | 2.13.2.2 | fixed in 2.14.0 com.fasterxml.jackson.core_jackson-databind | 2.13.2.2 | fixed in 2.13.4 spring-web_spring-web | 5.3.21 | fixed in 6.0.0 org.apache.openjpa_openjpa | 2.2.0-wso2v1 | fixed in 2.2.2, 1.2.3 go|1.17.8|fixed in 1.19.6

Suggested Labels: wso2is 6.0.0

Suggested Assignees:

Affected Product Version: 6.0.0

OS, DB, other environment details and versions:

Steps to reproduce: We executed a twistcli scan on the setup of wso2 identity server 6.0.0

Related Issues:

[isharak]

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!