MINOR: Upgrade jersey libraries to address CVE-2025-12383#21395
MINOR: Upgrade jersey libraries to address CVE-2025-12383#21395chia7712 merged 1 commit intoapache:3.9from
Conversation
|
@FrankYang0529 Could you please take a look or ping someone to review this? |
|
@tengu-alt Thanks for the fix. We will take a look to check whether to include this in 3.9.2. |
|
The CVE is regarding eclipse-ee4j/jersey#5749, and the patch was NOT merged into @tengu-alt @FrankYang0529 WDYT? |
| javassist: "3.29.2-GA", | ||
| jetty: "9.4.57.v20241219", | ||
| jersey: "2.39.1", | ||
| jersey: "2.46", |
There was a problem hiding this comment.
Curious why 2.46 and not 2.47 when that's the latest released 2.x version?
There was a problem hiding this comment.
I agree with @gaurav-narula. Let's update to 2.47. @tengu-alt could you update this? So I can run the next release.
|
@chia7712 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/253 mentions a reproducer for the CVE is at https://github.com/dtbaum/jerseyCveCandidate. I was able to reproduce it with |
|
@gaurav-narula thanks for the verification. I'm wondering whether it is the same issue, since PRs mentioned by the CVE is unrelated to 2.39.1 |
I'm fairly certain it's the same issue as the PoC is asserting the same CVE and it's reproducible in 2.39.1. Here's the trail I could find:
|
|
@gaurav-narula thanks for the info @FrankYang0529 it seems we need to cut another RC |
|
Does this mean that the CVE data is just wrong? I ask because CVE-2025-12383 only references 2.45, 3.0.16, 3.1.9 |
I think the issue exists in releases where either of the following conditions hold:
Releases between (1) and (2) would suffer from the perf degradation mentioned in eclipse-ee4j/jersey#5738. Once again, I'm basing this off of the PoC to reproduce the issue at https://github.com/dtbaum/jerseyCveCandidate. It would be nice to get a confirmation from jersey developers on this. I'll need some approvals (and hence time) to be able to participate in discussions at https://gitlab.eclipse.org/security/cve-assignment/-/issues/74. In the mean time, I agree we should get another RC going for 3.9.2 with the version bumped. |
tengu-alt
force-pushed
the
upgrade-jersey-libraries
branch
from
f8c7bd4 to
de7e806
Compare
|
@FrankYang0529 @gaurav-narula , I've updated PR with 2.47 |
|
BTW, also want to add that vulnerability comes from the |
chia7712
changed the title
|
sorry didn't see the approve, thank you |
|
@tengu-alt It's ok. Let's wait for the CI result. |
|
The final fix for this CVE is eclipse-ee4j/jersey#5794, which also handles the performance. |
thanks for this sharing. The final fix was introduced in 2.46, so upgrading to 2.47 will definitely cover it. |
6 participants
This PR upgrades
jerseylibraries family from 2.39.1 to 2.46 to address CVE-2025-12383Note: while 2.39.1 is not listed as vulnerable - security scanners still may alert it as vulnerable
Reviewers: PoAn Yang payang@apache.org, Gaurav Narula gaurav_narula2@apple.com, Chia-Ping Tsai chia7712@gmail.com