Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No longer maintained net.sourceforge.nekohtml with known security issues #13286

Closed
vfarek opened this issue Jun 6, 2023 · 1 comment
Closed

No longer maintained net.sourceforge.nekohtml with known security issues #13286

vfarek opened this issue Jun 6, 2023 · 1 comment
Assignees
@marcusdacoregio
Labels
in: build An issue in the build type: bug A general bug
Milestone
6.0.4

Comments

@vfarek
Copy link

vfarek commented Jun 6, 2023
edited
Loading

Expected Behavior

It would be ideal if we could migrate to the updated fork of the library https://github.com/sparklemotion/nekohtml, which addresses the high-impact DoS vulnerability and has more potential to stay up to date should any more sec advisories be issued.

Current Behavior

spring-security-dependencies define dependency net.sourceforge.nekohtml:nekohtml:1.9.22 which is no longer being maintained (since 2014) and includes several reported vulnerabilities, that are not being looked into as per: https://security.snyk.io/package/maven/net.sourceforge.nekohtml:nekohtml

Context

As part of hardening processes, regular updates and best practices, we are trying to keep our dependencies on the supported and up-to-date versions in our products, but since net.sourceforge.nekohtml:nekohtml is included with spring-security, we cannot directly influence this and hence I have created this enhancement for consideration.

Creating this as an enhancement as the security issues do not lie directly with spring-security and are already disclosed anyway for sourceforge fork of nekohtml.
@vfarek vfarek added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jun 6, 2023
@marcusdacoregio marcusdacoregio self-assigned this Jun 6, 2023
@marcusdacoregio marcusdacoregio added in: build An issue in the build type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jun 6, 2023
@marcusdacoregio marcusdacoregio added this to the 6.0.4 milestone Jun 6, 2023
@marcusdacoregio
Copy link
Contributor

Hi @vfarek, this dependency was being used by the deprecated and now removed spring-security-openid module. Therefore, I'll remove that dependency entirely for the 6.x line. I don't think we want to do any dependency changes in a deprecated module for now, unless it is really needed.

@marcusdacoregio marcusdacoregio mentioned this issue Jun 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: build An issue in the build type: bug A general bug
Projects
Spring Security Team
Status: Done
Milestone
6.0.4
Development

No branches or pull requests
2 participants
@marcusdacoregio @vfarek