Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28687

spring version (2.5.x) is ancient and not compatable with many new libraries

    Details

    • Similar Issues:

      Description

      The spring version 2.5 used in core is very old and this makes it problematic when trying to integrate jenkins with another component, or integrating components within jenkins as most things have moved way passed 2.5 to 4.x.

      Note - this may also require an upgrade of groovy.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            At the same time, any upgrade of this will also be a breaking change for anything that already integrates, right?

            Show
            danielbeck Daniel Beck added a comment - At the same time, any upgrade of this will also be a breaking change for anything that already integrates, right?
            Hide
            teilo James Nord added a comment -

            Spring trieds to retain backwards compatability.

            There are a few noteable exceptions, so any upgrade is not without risks

            Show
            teilo James Nord added a comment - Spring trieds to retain backwards compatability. There are a few noteable exceptions, so any upgrade is not without risks
            Hide
            eyoung Ethan Young added a comment -

            Upgrading the Spring framework will also resolve security issues. Specifically, CVE-2017-8046 is an expression language injection vulnerability in the Spring Data REST library v2.6.8 and earlier.

            Show
            eyoung Ethan Young added a comment - Upgrading the Spring framework will also resolve security issues. Specifically, CVE-2017-8046 is an expression language injection vulnerability in the Spring Data REST library v2.6.8 and earlier.
            Hide
            danielbeck Daniel Beck added a comment -

            Ethan Young If you actually find a way to exploit it in Jenkins, please file an issue as described here:

            https://jenkins.io/security/#reporting-vulnerabilities

            Show
            danielbeck Daniel Beck added a comment - Ethan Young If you actually find a way to exploit it in Jenkins, please file an issue as described here: https://jenkins.io/security/#reporting-vulnerabilities
            Hide
            jremitz Jake Remitz added a comment - - edited

            Also note that CVE-2011-2730 is also present with this version of Spring for spring-web-2.5.6.SEC03.jar, spring-core-2.5.6.SEC03.jar, context-support-2.5.6.SEC03.jar, and spring-context-2.5.6.SEC03.jar.

            CVE-2011-0766 impacts crypto-util-1.1.jar which I'm not aware whether this is tied to Spring directly or it's own issue.

            There are also a couple of lower priority security findings that span across some of the other Spring packages of this version: CVE-2010-1622 and CVE-2013-6429.

            Show
            jremitz Jake Remitz added a comment - - edited Also note that CVE-2011-2730 is also present with this version of Spring for spring-web-2.5.6.SEC03.jar, spring-core-2.5.6.SEC03.jar, context-support-2.5.6.SEC03.jar, and spring-context-2.5.6.SEC03.jar. CVE-2011-0766 impacts crypto-util-1.1.jar which I'm not aware whether this is tied to Spring directly or it's own issue. There are also a couple of lower priority security findings that span across some of the other Spring packages of this version: CVE-2010-1622 and CVE-2013-6429 .

              People

              • Assignee:
                Unassigned
                Reporter:
                teilo James Nord
              • Votes:
                5 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: