0

Fix for vulnerability CVE-2022-36537

asked 2023-09-20 23:47:05 +0800

NishaBelgi gravatar image NishaBelgi
101

I am trying to resolve the vulnerability described here --> nvd.nist.gov/vuln/detail/CVE-2022-36537

The fix is tracked here --> tracker.zkoss.org/browse/ZK-5150

It says that the vulnerability is fixed in version 8.6.4.2.

However, this version is not available in maven central. The only version available in maven central with the fix appears to be 9.6.0.2, but that introduces some breaking changes so I am trying to stay within the 8.6.x releases.

Where can I get the 8.6.4.2 version of zk? Can that be published to Maven central?

Thanks.

delete flag offensive retag edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-09-21 19:05:17 +0800

MDuchemin gravatar image MDuchemin
2480 1 6
ZK Team

Bumped your karma for links.

8.6.4.2 is in the EE repository (premium releases).

If you can't upgrade to the next fixed CE release (9.6.0.2), you can secure older versions the paches files in the tracker ticket: For ZK 8.6.0.1 to 9.6.1: use zk8601-to-zk961-patch.zip For ZK 8.0.2 to 8.6.0: use zk802-to-zk8600-patch.zip

download the relevant patch and apply to your current 8.6 release. (requires configuration in zk.xml, details in tracker ticket).

link publish delete flag offensive edit

Comments

Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
1 follower

RSS

Stats

Asked: 2023-09-20 23:47:05 +0800

Seen: 7 times

Last updated: Sep 21

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More