Update Spring to 5.3.39 to fix CVE-2024-38808. Require commons-config…

…uration2 2.11.0 to fix CVE-2024-29131 and CVE-2024-29133. Hadoop pulls this dependency in. (#4874) Signed-off-by: David Venable <dlv@amazon.com>
opensearch-project · Aug 26, 2024 · 9244818 · 9244818
1 parent 0a26f59
commit 9244818
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/build.gradle b/build.gradle
@@ -91,6 +91,12 @@ subprojects {
                 }
                 because 'Fixes CVE-2023-39410.'
             }
+            implementation('org.apache.commons:commons-configuration2') {
+                version {
+                    require '2.11.0'
+                }
+                because 'Fixes CVE-2024-29131 and CVE-2024-29133.'
+            }
             implementation('org.apache.httpcomponents:httpclient') {
                 version {
                     require '4.5.14'

diff --git a/settings.gradle b/settings.gradle
@@ -46,7 +46,7 @@ dependencyResolutionManagement {
             version('opensearch', '1.3.14')
             library('opensearch-client', 'org.opensearch.client', 'opensearch-rest-client').versionRef('opensearch')
             library('opensearch-rhlc', 'org.opensearch.client', 'opensearch-rest-high-level-client').versionRef('opensearch')
-            version('spring', '5.3.28')
+            version('spring', '5.3.39')
             library('spring-core', 'org.springframework', 'spring-core').versionRef('spring')
             library('spring-context', 'org.springframework', 'spring-context').versionRef('spring')
             version('bouncycastle', '1.78.1')