flow Upgrade commons-compress to 1.26.0 to address CVE-2024-25710

Description of the bug

See this CVE:

https://nvd.nist.gov/vuln/detail/CVE-2024-25710#range-10353751. "flow-server" depends on 1.25.0 of commons-compress which still has the CVE.

Expected behavior

Have no dependencies with CVEs.

Minimal reproducible example

n/a

Versions

Vaadin / Flow version: 24.3.6
Java version:
OS version:
Browser version (if applicable):
Application Server (if applicable):
IDE (if applicable):

Mar 12 '24 19:03 jduan-highnote

Please use the latest version - 24.3.7 where the dependency is upgraded.

PS: just because some transitive Dependency is vulnerable, does not mean that your app is.

Mar 12 '24 19:03 knoobie

This has already been fixed in #18923 and also back-ported to 24.3 in #18935 and released with Vaadin 24.3.7

Mar 12 '24 19:03 mcollovati

Wow, that was fast. I still don't see it in maven central https://mvnrepository.com/artifact/com.vaadin/flow-server but I suspect it might show up a bit later?

Mar 12 '24 22:03 jduan-highnote

It is already on Maven central

https://central.sonatype.com/artifact/com.vaadin/flow-server/24.3.7

Mar 12 '24 23:03 mcollovati

Is it expected that https://mvnrepository.com/ is behind by a few hours?

Mar 12 '24 23:03 jduan-highnote

AFAIK mvnepository is not officially related to maven central, and I don't know what synchronization policies it has

Mar 12 '24 23:03 mcollovati

Cool. Thanks again for the super fast response!

Mar 13 '24 00:03 jduan-highnote

Now sure if I should create a new issue instead, but version flow-server 2.10.5 (i.e. latest Vaadin 14.11.11) still depends on org.apache.commons:commons-compress:jar:1.21 and that shows up in security scanners.

https://github.com/vaadin/flow/blob/2.10/flow-server/pom.xml#L134

Edit: For some reason the version is different if not using CDI and org.apache.commons:commons-compress:jar:1.24 is used.

Jun 14 '24 09:06 samie