Address CVEs

- CVE-2024-6763: addressed by upgrading ring to 1.13.0, which upgraded jetty from 11.0.20 to 11.0.24 - CVE-2024-8184: suppressed, as it doesn't impact our usage of jetty - CVE-2024-45772: suppressed, as it doesn't impact our usage of lucene
clojars · Oct 27, 2024 · 4c461c4 · 4c461c4
1 parent 4dc6451
commit 4c461c4
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 4 deletions.
diff --git a/.nvd-suppressions.xml b/.nvd-suppressions.xml
@@ -26,6 +26,7 @@
    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
    <cve>CVE-2022-1471</cve>
   </suppress>
+
   <suppress>
      <notes><![CDATA[
      This CVE only impacts programs using Clojure < 1.9.0, and gets reported for any jar
@@ -35,4 +36,22 @@
      <cve>CVE-2017-20189</cve>
   </suppress>
 
+  <suppress>
+     <notes><![CDATA[
+     This CVE only impacts usage of Jetty's HttpURI directly, and we don't use it. We can't
+     upgrade to get rid of this CVE as it requires upgrading to Jetty 12, which ring does not
+     yet support (we are are 11 currently).
+     ]]></notes>
+     <cve>CVE-2024-6763</cve>
+  </suppress>
+
+<suppress>
+     <notes><![CDATA[
+     This CVE only impacts projects using http replication, which we don't do. We can't
+     upgrade to get rid of this CVE without rebuilding our indexing code, as it requires
+     upgrading to Lucene 9 (we are on 8 currently).
+     ]]></notes>
+     <cve>CVE-2024-45772</cve>
+  </suppress>
+
 </suppressions>
diff --git a/deps.edn b/deps.edn
@@ -52,9 +52,9 @@
                                   org.apache.xmlgraphics/batik-dom
                                   org.apache.xmlgraphics/batik-svggen]}
   org.apache.commons/commons-email {:mvn/version "1.5"}
-  org.apache.lucene/lucene-core {:mvn/version "8.11.1"}
-  org.apache.lucene/lucene-analyzers-common {:mvn/version "8.11.1"}
-  org.apache.lucene/lucene-queryparser {:mvn/version "8.11.1"}
+  org.apache.lucene/lucene-core {:mvn/version "8.11.4"}
+  org.apache.lucene/lucene-analyzers-common {:mvn/version "8.11.4"}
+  org.apache.lucene/lucene-queryparser {:mvn/version "8.11.4"}
   org.apache.maven/maven-model {:mvn/version "3.8.4"}
   org.apache.maven/maven-repository-metadata {:mvn/version "3.8.4"}
   ;; Override bouncycastle brought in by buddy-core to address CVE-2024-29857,
@@ -77,7 +77,7 @@
   ring/ring-core {:mvn/version "1.12.1"}
   ring/ring-defaults {:mvn/version "0.5.0"}
   ;; Audit clojars.ring-servlet-patch if updating this version!
-  ring/ring-jetty-adapter {:mvn/version "1.12.1"}
+  ring/ring-jetty-adapter {:mvn/version "1.13.0"}
   ring-jetty-component/ring-jetty-component {:mvn/version "0.3.1"}
   ring-middleware-format/ring-middleware-format {:mvn/version "0.7.5"}