1. No, these dependencies were not updated as part of the 2.9.0 release 2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the 3.x release is going to be structured in a different enough of a way that none of these will be present. 3. At a quick glance, it appears to be an oversight that protobuf is included in gwt-servlet and can be entirely removed. I believe this is likely a false positive if it is not used, since it gets a custom package, so will not interfere with other protobuf dependencies.
Can you share the full report you obtained so we can confirm that #3 is true, and file an issue with all the details? I'll start work on confirming we can remove it from gwt-servlet, and after we are certain about these issues we look into making a release. On Monday, June 29, 2020 at 5:57:41 AM UTC-5 [email protected] wrote: > > Hi All, > > Security Vulnerability have been detected in gwt-dev.jar & > gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker > tool <https://jeremylong.github.io/DependencyCheck/>. > > Below are the details - > > Gwt-dev.jar - > 1.1 Vulnerable version of jetty library(current version-- 9.2.14, > available version -9.2.27+ ) > 1.2 Vulnerable version of commons-collections(current version - 3.2.1) > 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current > version - 4.3.1) > 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, > available version - 3.4.0) > 1.5 Vulnerable version of htmlunit ( current version - 2.19 , available > version- 2.37) > > Gwt-servlet.jar - > 1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, > available version - 3.4.0) > > Given above vulnerabilities - > 1. Are those security issues addressed in latest 2.9.0 release? > 2. If no, is there a plan to include them in any future release say 3.x? > 3. As we know that gwt-dev.jar is used for development purpose & can be > flagged as false positive, still are there any attack surfaces exists? > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/3c7a79d4-7ce4-4000-bb50-e040f2110bden%40googlegroups.com.
