GUACAMOLE-1806: Update Java dependencies to patched versions

These changes should address the following (potentially relevant) vulnerabilities: - CVE-2022-21724 - CVE-2022-26520 - CVE-2022-31197 - CVE-2022-40151 - CVE-2022-40152 - CVE-2022-41946 - CVE-2023-20861 - CVE-2023-20862 - CVE-2023-20863 - GHSA-673j-qm5f-xpv8
2025-09-06 05:07:41 +00:00 · 2023-06-09 22:26:42 +02:00
parent 4290c378c8
commit 846c507ba7
13 changed files with 33 additions and 16 deletions
--- a/doc/licenses/spring-framework-5.3.25/dep-coordinates.txt
+++ b/doc/licenses/spring-framework-5.3.25/dep-coordinates.txt
@@ -1,7 +0,0 @@
-org.springframework:spring-aop:jar:5.3.25
-org.springframework:spring-beans:jar:5.3.25
-org.springframework:spring-context:jar:5.3.25
-org.springframework:spring-core:jar:5.3.25
-org.springframework:spring-expression:jar:5.3.25
-org.springframework:spring-jcl:jar:5.3.25
-org.springframework:spring-web:jar:5.3.25
--- a/doc/licenses/spring-framework-5.3.27/README
+++ b/doc/licenses/spring-framework-5.3.27/README
@@ -1,7 +1,7 @@
 Spring Framework (https://spring.io/projects/spring-framework)
 --------------------------------------------------------------

-    Version: 5.3.25
+    Version: 5.3.27
    From: 'Spring' (https://spring.io/)
    License(s):
        Apache v2.0
--- a/doc/licenses/spring-framework-5.3.27/dep-coordinates.txt
+++ b/doc/licenses/spring-framework-5.3.27/dep-coordinates.txt
@@ -0,0 +1,7 @@
+org.springframework:spring-aop:jar:5.3.27
+org.springframework:spring-beans:jar:5.3.27
+org.springframework:spring-context:jar:5.3.27
+org.springframework:spring-core:jar:5.3.27
+org.springframework:spring-expression:jar:5.3.27
+org.springframework:spring-jcl:jar:5.3.27
+org.springframework:spring-web:jar:5.3.27
--- a/doc/licenses/spring-security-5.8.2/dep-coordinates.txt
+++ b/doc/licenses/spring-security-5.8.2/dep-coordinates.txt
@@ -1,3 +0,0 @@
-org.springframework.security:spring-security-core:jar:5.8.2
-org.springframework.security:spring-security-crypto:jar:5.8.2
-org.springframework.security:spring-security-web:jar:5.8.2
--- a/doc/licenses/spring-security-5.8.3/NOTICE
+++ b/doc/licenses/spring-security-5.8.3/NOTICE
--- a/doc/licenses/spring-security-5.8.3/README
+++ b/doc/licenses/spring-security-5.8.3/README
@@ -1,7 +1,7 @@
 Spring Security (https://spring.io/projects/spring-security)
 ------------------------------------------------------------

-    Version: 5.8.2
+    Version: 5.8.3
    From: 'Spring' (https://spring.io/)
    License(s):
        Apache v2.0
--- a/doc/licenses/spring-security-5.8.3/dep-coordinates.txt
+++ b/doc/licenses/spring-security-5.8.3/dep-coordinates.txt
@@ -0,0 +1,3 @@
+org.springframework.security:spring-security-core:jar:5.8.3
+org.springframework.security:spring-security-crypto:jar:5.8.3
+org.springframework.security:spring-security-web:jar:5.8.3
--- a/doc/licenses/woodstox-core-5.2.1/dep-coordinates.txt
+++ b/doc/licenses/woodstox-core-5.2.1/dep-coordinates.txt
@@ -1 +0,0 @@
-com.fasterxml.woodstox:woodstox-core:jar:5.2.1
--- a/doc/licenses/woodstox-core-5.4.0/README
+++ b/doc/licenses/woodstox-core-5.4.0/README
@@ -1,7 +1,7 @@
 Woodstox Core (https://github.com/FasterXML/woodstox)
 ------------------------------------------------------

-    Version: 5.2.1
+    Version: 5.4.0
    From: 'FasterXML, LLC' (http://fasterxml.com/)
    License(s):
        Apache v2.0
--- a/doc/licenses/woodstox-core-5.4.0/dep-coordinates.txt
+++ b/doc/licenses/woodstox-core-5.4.0/dep-coordinates.txt
@@ -0,0 +1 @@
+com.fasterxml.woodstox:woodstox-core:jar:5.4.0
--- a/extensions/guacamole-auth-json/pom.xml
+++ b/extensions/guacamole-auth-json/pom.xml
@@ -77,7 +77,7 @@
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
-            <version>5.8.2</version>
+            <version>5.8.3</version>
        </dependency>

    </dependencies>
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/pom.xml
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/pom.xml
@@ -74,6 +74,23 @@
            <groupId>com.onelogin</groupId>
            <artifactId>java-saml</artifactId>
            <version>2.9.0</version>
+            <!--
+                Replace vulnerable version of Woodstox until upstream
+                releases a version with fixed dependencies
+            -->
+            <exclusions>
+                <exclusion>
+                    <groupId>com.fasterxml.woodstox</groupId>
+                    <artifactId>woodstox-core</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <!-- Woodstox -->
+        <dependency>
+            <groupId>com.fasterxml.woodstox</groupId>
+            <artifactId>woodstox-core</artifactId>
+            <version>5.4.0</version>
        </dependency>

    </dependencies>
--- a/guacamole-docker/bin/build-guacamole.sh
+++ b/guacamole-docker/bin/build-guacamole.sh
@@ -97,7 +97,7 @@ tar -xz                        \
 #

 echo "Downloading PostgreSQL JDBC driver ..."
-curl -L "https://jdbc.postgresql.org/download/postgresql-42.2.24.jre7.jar" > "$DESTINATION/postgresql/postgresql-42.2.24.jre7.jar"
+curl -L "https://jdbc.postgresql.org/download/postgresql-42.3.8.jar" > "$DESTINATION/postgresql/postgresql-42.3.8.jar"

 #
 # Copy SSO auth extensions
				`@@ -1 +0,0 @@`
				`com.fasterxml.woodstox:woodstox-core:jar:5.2.1`
				`@@ -0,0 +1 @@`
				`com.fasterxml.woodstox:woodstox-core:jar:5.4.0`