Security issue with commons-text provided by katello candlepin = 4.2.3-1.el8

Problem:
commons-text-1.9.jar is not secure anymore according to
CVE-2022-42889

Expected outcome:
candlepin using commons-text-1.10.jar or later
Foreman and Proxy versions:
foreman 3.4.0 / Katello 4.2.3

Distribution and version:
CentOS-8/ Rocky-8 /

Hi Andre,

I put it onto foreman-security@googlegroups.com to get clarification. I currently assume that candlepin sufficiently sanitizes input into Apache Commons Text library, making it less vulnerable (see also Red Hat Satellite on the list of affected Packages: Red Hat Customer Portal - Access to 24x7 support and knowledge).

I’ll post here, if I here anything different.

2 Likes

hi @m-bucher,
Do you know if there are any updates about this issue?

Kind regards,
Andre

The library is a dependency of a dependency of Candlepin.

From what I know the Candlepin-team aims to update the dependency for next release. Whether they will also backport it to stable foreman/katello-versions, I have no information.

As far as I see they already have merged the fix (or better the dependency upgrade) into master:

1 Like