Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0042746
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformminorhave not tried2020-01-08 15:152020-01-10 09:15
ReporteralostaleView Statuspublic 
Assigned Toalostale 
PrioritynormalResolutionfixedFixed in Version3.0PR20Q2
StatusclosedFix in branchFixed in SCM revisionf139045c1bba
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Tocaristu
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0042746: CVE in quartz 2.3.1

DescriptionCurrent quartz 2.3.1 has a known vulnerability (CVE-2019-13990 [1]).

Even it is not exploitable for Openbravo as it only affects in case jobs are defined as xml files, we should get updated to the latest version.

[1] https://nvd.nist.gov/vuln/detail/2019-13990 [^]
Steps To ReproduceNot exploitable for Openbravo (see description).
Proposed SolutionUpdate to current latest version 2.3.2 which solves the issue [1].

[1] https://github.com/quartz-scheduler/quartz/issues/467 [^]
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to feature request 0041483 closedcaristu update quartz 
depends on backport 00427473.0PR20Q1 closedalostale CVE in quartz 2.3.1 

-  Notes
(0116696)
alostale (manager)
2020-01-08 15:27

MR: https://gitlab.com/openbravo/product/openbravo/merge_requests/31 [^]
(0116753)
hgbot (developer)
2020-01-10 08:59

Repository: erp/devel/pi
Changeset: f139045c1bba18b0abd882b62a7fc62095f973f2
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Jan 08 15:20:48 2020 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/f139045c1bba18b0abd882b62a7fc62095f973f2 [^]

fixed BUG-42746: CVE in quartz 2.3.1

  Updated quartz to 2.3.2 to solve reported CVE.

---
M legal/Licensing.txt
A lib/runtime/quartz-2.3.2.jar
R lib/runtime/quartz-2.3.1.jar
---
(0116755)
caristu (developer)
2020-01-10 09:15

https://gitlab.com/openbravo/product/openbravo/merge_requests/31 [^]

- Issue History
Date Modified Username Field Change
2020-01-08 15:15 alostale New Issue
2020-01-08 15:15 alostale Assigned To => platform
2020-01-08 15:15 alostale Modules => Core
2020-01-08 15:15 alostale Triggers an Emergency Pack => No
2020-01-08 15:15 alostale Relationship added related to 0041483
2020-01-08 15:15 alostale Review Assigned To => caristu
2020-01-08 15:27 alostale Note Added: 0116696
2020-01-08 15:33 alostale Status new => scheduled
2020-01-08 15:33 alostale Assigned To platform => alostale
2020-01-10 08:59 hgbot Checkin
2020-01-10 08:59 hgbot Note Added: 0116753
2020-01-10 08:59 hgbot Status scheduled => resolved
2020-01-10 08:59 hgbot Resolution open => fixed
2020-01-10 08:59 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/f139045c1bba18b0abd882b62a7fc62095f973f2 [^]
2020-01-10 09:15 caristu Note Added: 0116755
2020-01-10 09:15 caristu Status resolved => closed
2020-01-10 09:15 caristu Fixed in Version => 3.0PR20Q2


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker