Security Vulnerability Detected in GWT Library

276 views
Skip to first unread message

Hrishikesh Joshi

unread,
Apr 10, 2019, 4:26:00 AM4/10/19
to GWT Users
GWT 2.8.2:
All
All

---

##### Description
Security Vulnerability Detected in gwt-dev.jar & gwt-servlet.jar are reported by Dependency checker tool

Below are the details -
1. Gwt-dev.jar - 
               1.1 Vulnerable version of jetty library(current version-- 9.2.14, available ) 
               1.2 Vulnerable version of commons-collections(current version - 3.2.1)
               1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current version - 4.3.1)

2. Gwt-servlet.jar             
               1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)

##### Steps to reproduce
Refer instruction from following web site.

Is community going to update 3rd party library used by GWT to remove these Vulnerability ?

luca....@gmail.com

unread,
Apr 10, 2019, 4:28:23 AM4/10/19
to GWT Users
gwt-dev is only used during maven build or at least for the code server running on my workstation, this is not necessary.

May be gwt-servlet for old legacy apps thet still use GWT-RPC, but most now use REST service and REST clients.

Anyway thanks for your suggestions.

Have a nice day

foal

unread,
May 1, 2019, 2:58:03 PM5/1/19
to GWT Users
Easly to update in upcoming releases than explain each other that it isn't critical :)

BTW GWT-RPC user protobuf? Thought about replacing REST with Protobuf but did not find ready to use solution (Java <-> GWT with APT generators). 

Stas.

t.br...@gmail.com

unread,
May 2, 2019, 4:30:39 AM5/2/19
to GWT Users


On Wednesday, May 1, 2019 at 8:58:03 PM UTC+2, foal wrote:
Easly to update in upcoming releases than explain each other that it isn't critical :)

BTW GWT-RPC user protobuf?

The protobuf in gwt-servlet is an internal dependency for sourcemaps and streamhtmlparser (used in server-side SafeHtml)
 
Thought about replacing REST with Protobuf but did not find ready to use solution (Java <-> GWT with APT generators).

Maybe grpc-web would be usable nowadays? 

Hrishikesh Joshi

unread,
May 14, 2019, 12:45:02 AM5/14/19
to GWT Users
Are there any plans to update this in GWT 2.9.0 ? Are there any technical limitations which are holding GWT from updating this. If there are no technical limitations and only issue is contribution to opensource, then I would like to know that. 
Reply all
Reply to author
Forward
0 new messages