[DIRMINA-1182] Is there any plan to fix the dependent vulnerabilities of Spring Framework 2.5.6.SEC03? - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Wish
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.3, 2.1.8
Fix Version/s: 2.2.4, 2.0.27, 2.1.10
Component/s: None
Labels:
None

Description

Hello, we found that Apache MINA 2.2.3 and 2.1.8 both depends on spring 2.5.6.SEC03(corresponding to Spring Framework software), which is a very old version (released on Sep 09, 2011) and has been EOL and also can not find source code package.

It seems that spring 2.5.6.SEC03 have some vulnerabilities(this artifact was moved to spring-core and spring-core 2.5.6.SEC03 have vulnerabilities).

https://mvnrepository.com/artifact/org.springframework/spring

https://mvnrepository.com/artifact/org.springframework/spring-core/2.5.6.SEC03

Does these vulnerability affect Apache MINA? If yes, can I ask if there are any plans of Apache MINA community to adapt to the new version of Spring Framework to fix these vulnerabilities?

Thanks.

The detailed dependencies are as follows:

mina-integration-xbean 2.2.3/2.1.8 ---> spring 2.5.6.SEC03

mina-example 2.2.3/2.1.8 ---> spring 2.5.6.SEC03

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2024-10-08-22-47-47-371.png
08/Oct/24 14:47
16 kB
Yuanhua Han
image-2024-10-08-22-49-52-441.png
08/Oct/24 14:49
36 kB
Yuanhua Han
image-2024-10-08-22-54-11-235.png
08/Oct/24 14:54
36 kB
Yuanhua Han
image-2024-10-28-10-53-37-111.png
28/Oct/24 02:53
60 kB
Yuanhua Han
image-2024-10-28-10-54-19-751.png
28/Oct/24 02:54
60 kB
Yuanhua Han

Activity

People

Assignee:: Unassigned

Reporter:: Yuanhua Han

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 08/Oct/24 14:57

Updated:: 28/Oct/24 11:48

Resolved:: 26/Oct/24 00:55