raboof/pekko
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions 11

Merge pull request #23505 from akka/wip-dependencies-patriknw

Browse source 
Upgrade camel-core dependency to 2.17.7
This commit is contained in:
Patrik Nordwall 2017-08-10 14:10:31 +02:00 committed by GitHub
commit c1f247212f
4 changed files with 35 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
akka-docs/src/main/paradox/scala/common/binary-compatibility-rules.md
View file

@ -40,6 +40,8 @@ OK: 3.1.n --> 3.2.0 ...
### Cases where binary compatibility is not retained ### Cases where binary compatibility is not retained
If a security vulnerability is reported in Akka or a transient dependency of Akka and it cannot be solved without breaking binary compatibility then fixing the security issue is more important. In such cases binary compatibility might not be retained when releasing a minor version. Such exception is always noted in the release announcement.
Some modules are excluded from the binary compatibility guarantees, such as: Some modules are excluded from the binary compatibility guarantees, such as:
* `*-testkit` modules - since these are to be used only in tests, which usually are re-compiled and run on demand * `*-testkit` modules - since these are to be used only in tests, which usually are re-compiled and run on demand

31
akka-docs/src/main/paradox/scala/security/2017-08-09-camel.md Normal file
View file

@ -0,0 +1,31 @@
# Camel Dependency, Fixed in Akka 2.5.4
### Date
9 August 2017
### Description of Vulnerability
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in [CVE-2017-5643](https://nvd.nist.gov/vuln/detail/CVE-2017-5643)
To protect against such attacks the system should be updated to Akka *2.4.20*, *2.5.4* or later. Dependencies to Camel libraries should be updated to version 2.17.7.
### Severity
The [CVSS](https://en.wikipedia.org/wiki/CVSS) score of this vulnerability is 7.4 (High), according to [CVE-2017-5643](https://nvd.nist.gov/vuln/detail/CVE-2017-5643).
### Affected Versions
* Akka *2.4.19* and prior
* Akka *2.5.3* and prior
### Fixed Versions
We have prepared patches for the affected versions, and have released the following versions which resolve the issue:
* Akka *2.4.20* (Scala 2.11, 2.12)
* Akka *2.5.4* (Scala 2.11, 2.12)
### Acknowledgements
We would like to thank Thomas Szymanski for bringing this issue to our attention.

1
akka-docs/src/main/paradox/scala/security/index.md
View file

@ -29,5 +29,6 @@ to ensure that a fix can be provided without delay.
@@@ index @@@ index
* [2017-02-10-java-serialization](2017-02-10-java-serialization.md) * [2017-02-10-java-serialization](2017-02-10-java-serialization.md)
* [2017-08-09-camel](2017-08-09-camel.md)
@@@ @@@

2
project/Dependencies.scala
View file

@ -41,7 +41,7 @@ object Dependencies {
object Compile { object Compile {
// Compile // Compile
val camelCore = "org.apache.camel" % "camel-core" % "2.15.6" exclude("org.slf4j", "slf4j-api") // ApacheV2 val camelCore = "org.apache.camel" % "camel-core" % "2.17.7" exclude("org.slf4j", "slf4j-api") // ApacheV2
// when updating config version, update links ActorSystem ScalaDoc to link to the updated version // when updating config version, update links ActorSystem ScalaDoc to link to the updated version
val config = "com.typesafe" % "config" % "1.3.1" // ApacheV2 val config = "com.typesafe" % "config" % "1.3.1" // ApacheV2