bbottema/simple-java-mail

[security] Update 3rd party dependencies to get rid of all currently known CVE issues

rover886 opened this issue · 2 comments

rover886 commented

Hijacking this issue as placeholder for security upgrade.

original text:

The smime-module has dependency on utils-mail-smime and it has dependency on bcjmail-jdk15to18 along with further transitive dependencies from Bouncy Castle.

From your this comment @bbottema I come to know that you are in process of updating 3rd party dependencies, hence consider a suggestion of using bcjmail-jdk18on instead of bcjmail-jdk15to18 as simple-java-mail is compatible from JDK8+.

Also, bc*-jdk15to18 JARs are designed to be compatible with JDK versions 1.5 through 1.8, where on other hand bc*-jdk18on are designed to be compatible with JDK 1.8 and later versions. So it makes sense, isn't it? even the https://bouncycastle.org/latest_releases.html also says the same.

Please ignore if you have already considered this :)

bbottema commented

Changes:

Dependencies:

  • Spring 5.3.27 -> 5.3.34
  • Spring Boot 2.5.15 -> 2.7.18
  • commons-io 2.7 -> 2.11.0
  • utils-mail-smime 2.3.1 -> 2.3.3
    • org.bouncycastle:bcjmail-jdk15to18 1.75 -> org.bouncycastle:bcjmail-jdk18on 1.78.1
  • ical4j 2.2.4 -> ical4j-vcard 2.0.0-beta2

Other:

  • Junit 4 -> Junit 5 (including Mockito, AssertJ and got rid of Powermock)
  • maven-surefire-plugin 2.19.1 -> 3.2.5
bbottema commented

v8.9.0 was released to Maven Central!