| Tip |
|---|
Did you know you can subscribe to updates to security issues and release notes? Right click and copy this link and paste it into Outlook RSS Feeds or your feed reader of choice. |
February 27, 2024
FLEXDEPLOY-11330 The Postgres JDBC driver that ships in the FlexDeploy zip is vulnerable to CVE-2024-1597. This vulnerability requires conditions that are not met by FlexDeploy, so FlexDeploy is not affected. However, this jar will be updated in future versions.
FLEXDEPLOY-11327 - Jackson-databind through 2.15.2 is affected by CVE-2023-35116 and allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. A newer version will be included in FlexDeploy 8.0.0.0 and in the 7.0.0.4 plugins that use Java 8.
FLEXDEPLOY-11326 - Commons Compress versions that are vulnerable to CVE-2024-26308 and CVE-2024-25710 are included in FlexDeploy and may FlexDeploy plugins. Version 8.0.0.0 and plugins in 7.0.0.4 will be upgraded to resolve this vulnerabilities.
FLEXDEPLOY-11325 - The version on TestNG that is bundled in the groovy plugin is vulnerable to CVE-2022-4065. This is remedied in 7.0.0.4 and 8.0.0.0.
January 19,2024
The versions of Tomcat that shipped with older FlexDeploy versions earlier than 5.7 are affected by CVE-2023-21733. Update FlexDeploy to a newer version such as 6.5.0.14 or 7.0.0.2 if this affects you.
...