FAQ  •  Register  •  Login

Security fixes / dependency upgrades

<<

bbqf

Serviio newbie

Posts: 2

Joined: Wed Jun 08, 2022 3:19 pm

Post Wed Jun 08, 2022 3:26 pm

Security fixes / dependency upgrades

Hi,

I am building a docker image of the latest serviio and with a 'docker scan' I found several suggestions of dependencies that need to be upgraded to fix High/Critical vulnerabilities (will post the full log if needed):

Issues to fix by upgrading:

Upgrade com.thoughtworks.xstream:xstream@1.4.11.1 to com.thoughtworks.xstream:xstream@1.4.19 to fix
Upgrade commons-io:commons-io@2.6 to commons-io:commons-io@2.7 to fix
Upgrade org.apache.logging.log4j:log4j-core@2.15.0 to org.apache.logging.log4j:log4j-core@2.17.1 to fix

The last one, log4j is a big one and a fix has been available for half a year by now, so it would be great to have these fixed.
<<

atc98092

User avatar

DLNA master

Posts: 5202

Joined: Fri Aug 17, 2012 10:22 pm

Location: Washington (the state)

Post Wed Jun 08, 2022 6:07 pm

Re: Security fixes / dependency upgrades

I can't speak to the first two items, but Serviio did have an upgrade because of the log4j issue. Serviio version 2.2.1 was released solely to address it.
Dan

LG NANO85 4K TV, Samsung JU7100 4K TV, Sony BDP-S3500, Sharp 4K Roku TV, Insignia Roku TV, Roku Ultra, Premiere and Stick, Nvidia Shield, Yamaha RX-V583 AVR.
Primary server: Intel i5-6400, 16 gig ram, Windows 10 Pro, 22 TB hard drive space | Test server Windows 10 Pro, AMD Phenom II X4 965, 8 gig ram

HOWTO: Enable debug logging HOWTO: Identify media file contents
<<

sutrus

Serviio newbie

Posts: 17

Joined: Wed May 31, 2017 7:25 pm

Post Sun Jun 12, 2022 6:02 pm

Re: Security fixes / dependency upgrades

Yes, but it turned out that the log4j patch inserted into the serviio was not effective.
Since then, several more log4j fixes have been released.
<<

soerentsch

User avatar

Serviio newbie

Posts: 14

Joined: Tue Jun 28, 2022 10:15 am

Post Fri Jul 01, 2022 2:46 pm

Re: Security fixes / dependency upgrades

+1

that what @bbqf said!

Plus Upgrade org.freemarker:freemarker@2.3.15 to org.freemarker:freemarker@2.3.30.

The list is just the result of a
  Code:
docker scan
.

Return to Feature requests

Who is online

Users browsing this forum: No registered users and 17 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software for PTF.