Monday, June 29, 2020

Re: Security Vulnerabilities with GWT

1. No, these dependencies were not updated as part of the 2.9.0 release
2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the 3.x release is going to be structured in a different enough of a way that none of these will be present.
3. At a quick glance, it appears to be an oversight that protobuf is included in gwt-servlet and can be entirely removed. I believe this is likely a false positive if it is not used, since it gets a custom package, so will not interfere with other protobuf dependencies.

Can you share the full report you obtained so we can confirm that #3 is true, and file an issue with all the details? I'll start work on confirming we can remove it from gwt-servlet, and after we are certain about these issues we look into making a release.
On Monday, June 29, 2020 at 5:57:41 AM UTC-5 priyako...@gmail.com wrote:

Hi All,

Security Vulnerability have been detected in gwt-dev.jar & gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool.

Below are the details -

Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available version -9.2.27+ )
1.2 Vulnerable version of commons-collections(current version - 3.2.1)
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current version - 4.3.1)
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)
1.5  Vulnerable version of htmlunit ( current version - 2.19 , available version- 2.37)

Gwt-servlet.jar -
        1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)

Given above vulnerabilities -
1. Are those security issues addressed in latest 2.9.0 release?
2. If no, is there a plan to include them in any future release say 3.x?
3. As we know that gwt-dev.jar is used for development purpose & can be flagged as false positive, still are there any attack surfaces exists?

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/3c7a79d4-7ce4-4000-bb50-e040f2110bden%40googlegroups.com.

No comments:

Post a Comment