Skip to content

2.5.2

Latest
Latest
Compare
Choose a tag to compare
@hezhangjian hezhangjian released this 12 Feb 05:55
· 6 commits to master since this release
2.5.2
This tag was signed with the committer’s verified signature.
hezhangjian Zhangjian He
GPG key ID: 660D5EF836C95052
Verified
Learn about vigilant mode.
d4f7fa4

About CVE-2024-57699

Thanks for @ccudennec-otto Some remarks on the CVE, more discussions in #236

  • as mentioned here it is quite unlikely that the vulnerability is exploited if you come here because of Spring Security / com.nimbusds:oauth2-oidc-sdk
  • the code changes for the upcoming release will "only" fix the default modes provided by JSONParser, e.g. MODE_RFC4627
  • if you create the JSONParser manually / with custom options, make sure you set option LIMIT_JSON_DEPTH
    • since that's what "connect2id" is doing in their library, they were responsible for fixing it. They've already provided a new 11.x release that fixes the JSONParser setup on their side, i.e. you rather need their fixed version and not version 2.5.2 of json-smart
    • as stated here, they would also need to backport the fix to the versions that Spring Security needs IMHO

What's Changed

  • fix CVE-2024-57699 for predefined parsers by @ccudennec-otto in #233
  • update maintainer github id and email by @hezhangjian in #234
  • Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 in /json-smart-action by @dependabot in #189
  • Bump org.apache.maven.plugins:maven-gpg-plugin from 3.1.0 to 3.2.4 in /json-smart-action by @dependabot in #190
  • Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.4.1 in /json-smart-action by @dependabot in #191
  • Bump org.apache.maven.plugins:maven-gpg-plugin from 3.1.0 to 3.2.4 in /json-smart by @dependabot in #194
  • Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.4.1 in /json-smart by @dependabot in #193
  • Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 in /json-smart by @dependabot in #192
  • Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.1 to 3.13.0 in /json-smart by @dependabot in #188
  • Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.1 to 3.13.0 in /json-smart-action by @dependabot in #185
  • Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.3 to 3.7.0 in /json-smart-action by @dependabot in #196
  • Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.3 to 3.7.0 in /json-smart by @dependabot in #197
  • Bump org.apache.maven.plugins:maven-jar-plugin from 3.4.1 to 3.4.2 in /json-smart-action by @dependabot in #198
  • Bump org.apache.maven.plugins:maven-release-plugin from 3.0.1 to 3.1.0 in /json-smart-action by @dependabot in #200
  • Bump junit.version from 5.10.2 to 5.10.3 in /json-smart-action by @dependabot in #199
  • Bump junit.version from 5.10.2 to 5.10.3 in /json-smart by @dependabot in #201
  • Bump org.apache.maven.plugins:maven-jar-plugin from 3.4.1 to 3.4.2 in /json-smart by @dependabot in #203
  • Bump org.apache.maven.plugins:maven-release-plugin from 3.0.1 to 3.1.0 in /json-smart by @dependabot in #202
  • Bump org.apache.maven.plugins:maven-release-plugin from 3.1.0 to 3.1.1 in /json-smart by @dependabot in #205
  • Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.7.0 to 3.8.0 in /json-smart by @dependabot in #206
  • Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.7.0 to 3.8.0 in /json-smart-action by @dependabot in #207
  • Bump org.apache.maven.plugins:maven-release-plugin from 3.1.0 to 3.1.1 in /json-smart-action by @dependabot in #208
  • Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.8.0 to 3.10.0 in /json-smart by @dependabot in #214
  • Bump junit.version from 5.10.3 to 5.11.0 in /json-smart by @dependabot in #213
  • Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.4 to 3.2.5 in /json-smart by @dependabot in #212
  • Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.8.0 to 3.10.0 in /json-smart-action by @dependabot in #211
  • Bump junit.version from 5.10.3 to 5.11.0 in /json-smart-action by @dependabot in #210
  • Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.4 to 3.2.5 in /json-smart-action by @dependabot in #209
  • Bump junit.version from 5.11.0 to 5.11.1 in /json-smart-action by @dependabot in #219
  • Bump junit.version from 5.11.0 to 5.11.1 in /json-smart by @dependabot in #216
  • Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.5 to 3.2.7 in /json-smart-action by @dependabot in #218
  • Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.5 to 3.2.7 in /json-smart by @dependabot in #217
  • update version and dates. by @UrielCh in #220
  • Bump junit.version from 5.11.2 to 5.11.3 in /json-smart by @dependabot in #222
  • Bump junit.version from 5.11.2 to 5.11.3 in /json-smart-action by @dependabot in #221
  • Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.10.1 to 3.11.1 in /json-smart by @dependabot in #226
  • Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.10.1 to 3.11.1 in /json-smart-action by @dependabot in #224
  • Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.1 to 3.11.2 in /json-smart-action by @dependabot in #231
  • Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.1 to 3.11.2 in /json-smart by @dependabot in #229
  • Bump junit.version from 5.11.3 to 5.11.4 in /json-smart-action by @dependabot in #230
  • Bump junit.version from 5.11.3 to 5.11.4 in /json-smart by @dependabot in #228

New Contributors

Full Changelog: 2.5.1...2.5.2

Contributors

UrielCh, hezhangjian, and 2 other contributors
Assets 2
Loading