[RESTEASY-3467] Upgrade mime4j to version 0.8.11

Type: Component Upgrade
Resolution: Done
Priority: Major
Fix Version/s: 6.2.8.Final, 7.0.0.Alpha1, 5.0.10.Final
Affects Version/s: 5.0.9.Final
Component/s: None
Labels:
None

Git Pull Request:
https://github.com/resteasy/resteasy/pull/4081, https://github.com/resteasy/resteasy/pull/4083, https://github.com/resteasy/resteasy/pull/4086

Tag: https://github.com/apache/james-mime4j/releases/tag/apache-mime4j-project-0.8.11
Diff: https://github.com/apache/james-mime4j/compare/apache-mime4j-project-0.8.10...apache-mime4j-project-0.8.11

[[INFO] |  |  \- org.jboss.resteasy:resteasy-multipart-provider:jar:5.0.9.Final:compile
[INFO] |  |     +- org.apache.james:apache-mime4j-dom:jar:0.8.9:compile
[INFO] |  |     |  \- org.apache.james:apache-mime4j-core:jar:0.8.9:compile
[INFO] |  |     \- org.apache.james:apache-mime4j-storage:jar:0.8.9:compile

resteasy-multipart-provider:jar:5.0.9.Final depends upon a version of mime4j which appears to be vulnerable, see
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-21742
https://lists.apache.org/thread/nrqzg93219wdj056pqfszsd33dc54kfy

clones

RESTEASY-3274 Upgrade mime4j to a more recent version

Resolved

Federico Grilli (Inactive) added a comment - 2024/03/13 3:09 PM

jperkins-rhn if you could backport it to 5.0.x that would be great, as we can't upgrade to resteasy 6.x at the moment. Otherwise, we can certainly manage apache-mime-4j ourselves. Thank you.

Federico Grilli (Inactive) added a comment - 2024/03/13 3:09 PM jperkins-rhn if you could backport it to 5.0.x that would be great, as we can't upgrade to resteasy 6.x at the moment. Otherwise, we can certainly manage apache-mime-4j ourselves. Thank you.

James Perkins added a comment - 2024/03/13 2:53 PM

fgrilli Is this a request to add this to 5.0 as well? I haven't been updating that branch much or doing releases, but if it's needed I can do that. The other option would be to exclude the dependency from org.jboss.resteasy:resteasy-multipart-provider and add the org.apache.james:apache-mime4j-*:0.8.10 dependencies to your POM.

James Perkins added a comment - 2024/03/13 2:53 PM fgrilli Is this a request to add this to 5.0 as well? I haven't been updating that branch much or doing releases, but if it's needed I can do that. The other option would be to exclude the dependency from org.jboss.resteasy:resteasy-multipart-provider and add the org.apache.james:apache-mime4j-*:0.8.10 dependencies to your POM.

Assignee:: James Perkins

Reporter:: Federico Grilli (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/03/13 2:36 PM

Updated:: 2024/03/21 1:22 AM

Resolved:: 2024/03/21 1:22 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Federico Grilli (Inactive) added a comment - 2024/03/13 3:09 PM

Expand comment: Federico Grilli (Inactive) added a comment - 2024/03/13 3:09 PM

Collapse comment: James Perkins added a comment - 2024/03/13 2:53 PM

Expand comment: James Perkins added a comment - 2024/03/13 2:53 PM

People

Dates