ICEfaces
  1. ICEfaces
  2. ICE-11468

Update 3rd Party Libraries

          Details

          • Type: Task Task
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: EE-4.3.0.GA_P01
          • Fix Version/s: EE-4.3.0.GA_P02
          • Component/s: Framework, Sample Apps
          • Labels:
            None
          • Environment:
            external jars, security

            Description

            A security scan has shown issues with up to the the myfaces 2.2.12 version. see
            https://issues.apache.org/jira/browse/MYFACES-4133
            this has been resolved in myfaces - 2.3.0, so that version of the jar should be tested/included in next release.

            other jars that have security scans may be used in our samples and should also be updated if possible:-
            commons-beanutils : commons-beanutils : 1.9.2 Open or 1.9.3
            dom4j : 1.6.1 Open
            javax.servlet : jstl : 1.2 Open
            org.apache.poi : poi : 3.9 Open

             org.glassfish : javax.faces : 2.3.5 Open --scan states The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
            Explanation v 2.3.4 and 2.3.5 are only versions that are vulnerable, so stay away from these 2 versions of mojarra.

              Activity

              Ascending order - Click to sort in descending order
              Hide
              Permalink
              Arturo Zambrano added a comment -

              r53179: ICE-11468 Removed old libraries with vulnerabilities, as specified by JIRA description (except JSTL); added updated libraries; added new libraries that are dependencies of updated libraries; updated build scripts and licenses documentation

              Show
              Arturo Zambrano added a comment - r53179: ICE-11468 Removed old libraries with vulnerabilities, as specified by JIRA description (except JSTL); added updated libraries; added new libraries that are dependencies of updated libraries; updated build scripts and licenses documentation
              Hide
              Permalink
              Arturo Zambrano added a comment - - edited

              These are the libraries that were updated and the jars that were removed:

              --------------------------------------------------------------------------------
NAME			VERSION		FILENAME
--------------------------------------------------------------------------------
Mojarra			2.3.5		javax.faces-2.3.5.jar
Myfaces			2.3.1		myfaces-bundle-2.3.1.jar
Commons BeanUtils	1.9.3		commons-beanutils-1.9.3.jar
dom4j			1.6.1		dom4j-1.6.1.jar
Apache POI		3.9		poi-3.9.jar
					poi-ooxml-3.9.jar
					poi-ooxml-schemas-3.9.jar
XML Beans		2.6.0		xmlbeans-2.6.0
--------------------------------------------------------------------------------

              These are the updated jars:

              --------------------------------------------------------------------------------
NAME			VERSION		FILENAME
--------------------------------------------------------------------------------
Mojarra			2.3.8		javax.faces-2.3.8.jar
Myfaces			2.3.6		myfaces-bundle-2.3.6.jar
Commons BeanUtils	1.9.4		commons-beanutils-1.9.4.jar
dom4j			2.1.3		dom4j-2.1.3.jar
Apache POI		4.1.2		poi-4.1.2.jar
					poi-ooxml-4.1.2.jar
					poi-ooxml-schemas-4.1.2.jar
XML Beans		3.1.0		xmlbeans-3.1.0.jar
--------------------------------------------------------------------------------

              These new jars were added as dependencies of the new version of POI:

              --------------------------------------------------------------------------------
NAME				VERSION		FILENAME
--------------------------------------------------------------------------------
Apache Commons Math		3.6.1		commons-math3-3.6.1.jar
Apache Commons Collections4	4.4		commons-collections4-4.4.jar
Apache Commons Compress		1.2		commons-compress-1.20.jar
--------------------------------------------------------------------------------

              Other observations:

              • JSTL (1.2) wasn't updated, because the report refers to the Apache Standard Taglib version (1.2.3 and under). In any case, this library is only used with sample apps and tutorials, and it doesn't affect the framework itself.
              • The new Mojarra 2.3 (2.3.8) version that we use now was released by the Eclipse Foundation.
              • The commons collections jar used by Myfaces and the new collections4 jar are independent of each other and do not cause conflicts. The collections4 jar contains packages with collections4 in their names.
              • The XML Beans library update wasn't part of the security update, but it was necessary to update it, because the new POI library version required it.
              • The Apache Commons Math library was added for XLS and XLSX exporting, while the Apache Commons Collections4 and Apache Commons Compress were added for XLSX exporting only.
              Show
              Arturo Zambrano added a comment - - edited These are the libraries that were updated and the jars that were removed: -------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Mojarra 2.3.5 javax.faces-2.3.5.jar Myfaces 2.3.1 myfaces-bundle-2.3.1.jar Commons BeanUtils 1.9.3 commons-beanutils-1.9.3.jar dom4j 1.6.1 dom4j-1.6.1.jar Apache POI 3.9 poi-3.9.jar poi-ooxml-3.9.jar poi-ooxml-schemas-3.9.jar XML Beans 2.6.0 xmlbeans-2.6.0 -------------------------------------------------------------------------------- These are the updated jars: -------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Mojarra 2.3.8 javax.faces-2.3.8.jar Myfaces 2.3.6 myfaces-bundle-2.3.6.jar Commons BeanUtils 1.9.4 commons-beanutils-1.9.4.jar dom4j 2.1.3 dom4j-2.1.3.jar Apache POI 4.1.2 poi-4.1.2.jar poi-ooxml-4.1.2.jar poi-ooxml-schemas-4.1.2.jar XML Beans 3.1.0 xmlbeans-3.1.0.jar -------------------------------------------------------------------------------- These new jars were added as dependencies of the new version of POI: -------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Apache Commons Math 3.6.1 commons-math3-3.6.1.jar Apache Commons Collections4 4.4 commons-collections4-4.4.jar Apache Commons Compress 1.2 commons-compress-1.20.jar -------------------------------------------------------------------------------- Other observations: JSTL (1.2) wasn't updated, because the report refers to the Apache Standard Taglib version (1.2.3 and under). In any case, this library is only used with sample apps and tutorials, and it doesn't affect the framework itself. The new Mojarra 2.3 (2.3.8) version that we use now was released by the Eclipse Foundation. The commons collections jar used by Myfaces and the new collections4 jar are independent of each other and do not cause conflicts. The collections4 jar contains packages with collections4 in their names. The XML Beans library update wasn't part of the security update, but it was necessary to update it, because the new POI library version required it. The Apache Commons Math library was added for XLS and XLSX exporting, while the Apache Commons Collections4 and Apache Commons Compress were added for XLSX exporting only.
              Hide
              Permalink
              Ken Fyten added a comment -

              Re-opened.

              The relevant .pom files need to be updated to indicate the correct versions of these updated libraries.

              Show
              Ken Fyten added a comment - Re-opened. The relevant .pom files need to be updated to indicate the correct versions of these updated libraries.
              Hide
              Permalink
              Arturo Zambrano added a comment -

              r53185: ICE-11468 updated maven pom.xml files to build using new library versions and dependencies; removed dom4j, which is no longer necessary by new POI version; also updated to Mojarra 2.3.14, which is actually the newest version; also updated commons logging to 1.2 and commons bean utils to 1.9.4 in the Myfaces 2.2 library folder

              Show
              Arturo Zambrano added a comment - r53185: ICE-11468 updated maven pom.xml files to build using new library versions and dependencies; removed dom4j, which is no longer necessary by new POI version; also updated to Mojarra 2.3.14, which is actually the newest version; also updated commons logging to 1.2 and commons bean utils to 1.9.4 in the Myfaces 2.2 library folder
              Hide
              Permalink
              Arturo Zambrano added a comment -

              r57788: updated maven pom.xml files to use https in dependency repository URLs

              r57789: updated ant maven build script to use https in dependency repository URLs

              Show
              Arturo Zambrano added a comment - r57788: updated maven pom.xml files to use https in dependency repository URLs r57789: updated ant maven build script to use https in dependency repository URLs
              Hide
              Permalink
              Arturo Zambrano added a comment -

              r57784: updated maven pom.xml files to use https in URLs, including URLs in namespaces

              Show
              Arturo Zambrano added a comment - r57784: updated maven pom.xml files to use https in URLs, including URLs in namespaces
              Hide
              Permalink
              Arturo Zambrano added a comment -

              r53218, r53219: removed the krysalis jCharts library from the showcase pom file, since this library is no longer used by the components or by the showcase application (committed to the trunk and the P02 tag)

              Show
              Arturo Zambrano added a comment - r53218, r53219: removed the krysalis jCharts library from the showcase pom file, since this library is no longer used by the components or by the showcase application (committed to the trunk and the P02 tag)
              Hide
              Permalink
              Arturo Zambrano added a comment - - edited

              r53222, r53223: Added JAXB API jar to avoid build-time errors with JDK 11 (committed to trunk and P02 tag)

              Starting from Java 9, the JAXB API were moved out of Java SE, because they are considered part of Java EE. So, we're adding this jar, specifically for the mobi codebase, to be able to compile correctly on Java 9 and above. This doesn't affect anything when compiling with Java 8.

              https://stackoverflow.com/questions/43574426/how-to-resolve-java-lang-noclassdeffounderror-javax-xml-bind-jaxbexception-in-j

              Show
              Arturo Zambrano added a comment - - edited r53222, r53223: Added JAXB API jar to avoid build-time errors with JDK 11 (committed to trunk and P02 tag) Starting from Java 9, the JAXB API were moved out of Java SE, because they are considered part of Java EE. So, we're adding this jar, specifically for the mobi codebase, to be able to compile correctly on Java 9 and above. This doesn't affect anything when compiling with Java 8. https://stackoverflow.com/questions/43574426/how-to-resolve-java-lang-noclassdeffounderror-javax-xml-bind-jaxbexception-in-j

                People

                • Assignee:
                  Arturo Zambrano
                  Reporter:
                  Judy Guglielmin
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: