Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release quickfixj 2.3.2 to resolve mina vulnerability #924

Open
Cirras opened this issue Jan 6, 2025 · 9 comments
Open

Release quickfixj 2.3.2 to resolve mina vulnerability #924

Cirras opened this issue Jan 6, 2025 · 9 comments
Assignees
@chrjohn
Labels
enhancement
Milestone
QFJ 2.3.2

Comments

@Cirras
Copy link

Cirras commented Jan 6, 2025

Is your feature request related to a problem? Please describe.

quickfixj-core has vulnerable dependency mina-core with the following CVEs:

Describe the solution you'd like

Since mina-core was upgraded in #917, releasing v2.3.2 would resolve this.

Describe alternatives you've considered

Evict/exclude the transitive mina-core dependency and provide a newer version myself.

Additional context

N/A
@chrjohn
Copy link
Member

chrjohn commented Jan 7, 2025

The recent advisory mentions especially the usage of ObjectSerializationCodecFactory but QFJ does not use this but rather the DemuxingProtocolCodecFactory via FIXProtocolCodecFactory so QFJ is not affected by this. We only parse character strings and are not trying to deserialize objects.

@STEELBADGE
Copy link

This library may be used in enterprises environments where strict dependency scanning requires an upgrade to a newer version even if that specific vulnerability is not on the hot path.

Is there a technical reason we can’t upgrade?

It doesn’t sound like an unreasonable ask to me.

@chrjohn
Copy link
Member

chrjohn commented Jan 7, 2025

I understand, the comment was only meant as an information.

Is not an unreasonable ask, just limited by personal time. ;) Please also see #774 (comment)

@STEELBADGE
Copy link

Thank you for the background.

Is it at all possible to create a patched version that people could use at their own risk?

@chrisharrison
Copy link

The latest version of this package is quite old, and the codebase seems to have moved on since the last release. Upgrading to the latest version of mina-core (2.2.x) will cause this package to break.

A workaround while waiting for a release of this package is to upgrade mina-core to 2.1.10 which is not reported as vulnerable and is compatible with this pacakge.

@STEELBADGE
Copy link

If we patch QFJ 2.3.1 to update mina-core to 2.1.10 would that be acceptable?

@chrjohn
Copy link
Member

chrjohn commented Jan 7, 2025

That would work. Working on the 2.3.2 release now, should be out in the coming days.

@chrjohn chrjohn added this to the QFJ 2.3.2 milestone Jan 7, 2025
@chrjohn chrjohn self-assigned this Jan 7, 2025
@STEELBADGE
Copy link

The financial markets thank you for your service!

@chrjohn
Copy link
Member

chrjohn commented Jan 7, 2025

Well, you're welcome. ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chrjohn chrjohn

Labels
enhancement
Projects
None yet
Milestone
QFJ 2.3.2
Development

No branches or pull requests
4 participants
@chrisharrison @chrjohn @Cirras @STEELBADGE