The following three updates will cover the majority of issues detected; this report is for Red5 open source specifically and should apply to implementations utilizing the server.
- Spring 5.3.31
- Slf4j 2.0.11
- Logback 1.4.14
The update to Spring 6.0.x is delayed due to its requirement on JDK 17.
Initial report link (pre fix): https://sbom.sonatype.com/report/T1-118f0f57da8c6b3097cc-94a75cdded71c7-1704896331-bacb473e25344981a5921629c304093e Individual line items addressed by the three libraries above:
- https://ossindex.sonatype.org/vulnerability/CVE-2016-1000027?component-type=maven&component-name=org.springframework%2Fspring-web
- https://spring.io/security/cve-2023-20860/
- https://spring.io/security/cve-2023-20863/
Other Spring related issues may also be addressed by the update which are not listed directly.
Lastly, github will continue to display this warning until we update to Spring 6.0: Red5/red5-server#336
SBOM for 1.3.27 release: https://sbom.sonatype.com/report/T1-118f0f57da8c6b3097cc-94a75cdded71c7-1704988672-fa9ac36151654f5cbf0422db1b15b8f0
Note: BouncyCastle issues don't affect Red5 nor Pro Server, unless LDAP or allowance of internally created cipher engines are selected.
Basic pub/sub test on NOR 12.2.0.14.b971 tested working as of 01/11/24