Any provision in Grails for getting security patches and updates ?

32 views
Skip to first unread message

Tusar Das

unread,
Jun 4, 2019, 1:57:27 AM6/4/19
to Grails Dev Discuss
Hello everyone, good morning !

I am a Grails application developer since 2012. I have used both grails  2.2.x and later upgraded to 3.3.x for some application. I have a query, whether Grails community provides news on security patches released and how to apply them in application. I am not sure whether this is the appropriate forum to ask this question. If not kindly redirect me to the right forum. Appreciate your help.

Sincerely,
Tusar

Sergio del Amo Caballero

unread,
Jun 5, 2019, 3:23:38 AM6/5/19
to Grails Dev Discuss
Probably the Grails Community slack is a better place: https://grails-slack.cfapps.io

Sergio 

Jeff Scott Brown

unread,
Jun 5, 2019, 11:25:49 PM6/5/19
to Grails Dev Discuss
We don’t provide instructions on how to apply patches because we
don’t really release patches. We just ship a new version of the
framework.

In the 11+ years of Grails there haven’t been many security related
issues we had to address in the core framework with a release. The
first one I remember was related to data binding and was kind of
arguable if it was really a security vulnerability or if the framework
just made it too easy for developers to do the wrong thing but we
addressed the issue and I wrote about it at
https://spring.io/blog/2012/03/28/secure-data-binding-with-grails/.
Very recently there was a potential issue that turned out to not have
actually been an issue and information about that is at
https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability.

If you have any specific questions about a security related concern,
please reach out and let us know.

Thanks!



JSB
--
Jeff Scott Brown
Partner and Practice Lead, Grails and Micronaut

Disruptive solutions for a connected world.™
http://objectcomputing.com

Autism Strikes 1 in 166
Find The Cause ~ Find The Cure
http://www.autismspeaks.org/

Bill Baran

unread,
Jun 6, 2019, 1:30:59 AM6/6/19
to Grails Dev Discuss
Just currious, do you not consider security issues in dependencies such as the Spring remote execution flaw?
It showed up in the security scanning of some of our grails apps.
https://www.waratek.com/remote-code-execution-flaw-spring-framework/

-WKBaran

Jeff Scott Brown

unread,
Jun 6, 2019, 9:30:35 AM6/6/19
to Grails Dev Discuss
It depends on the particulars. For that one in particular, the versions
of Spring used in the latest Grails 3.2 and 3.3 releases already include
the relevant mitigation. Also, be aware that you can express what
version of Spring you want to use in a Grails 3 app by modifying your
build (build.gradle and friends).
Reply all
Reply to author
Forward
0 new messages