Announcement
Collapse
No announcement yet.
X
-
SmartClient 12.1 (and earlier releases) have no dependency on Apache Commons Compress JAR, so any compatibility issue would only be with your own software or other JARs that you've added that need it.
-
Thanks for your input.
The smart client version we are using is SmartClient_v121p_2021-01-09_Enterprise.
Just realized that the common-compress jar is bundles by ourself along with other jars. So with smart client (SmartClient_v121p_2021-01-09_Enterprise), if we use common_compress 1.21 will it be compatible.? So that I can just upgrade common_compress to solve the vulnerability?
Thanks in advance for the help.
Leave a comment:
-
We've now addressed the issue in SC 13.0d (development release) by bumping the affected JAR to version 1.21. The fix should be the next nightly builds dated 2021-10-06.
Leave a comment:
-
Can you double check your SmartClient version? Apache Commons Compress is only bundled with our development branch, SmartClient 13.0d, and should not be included with any older version. Can you give us the exact version of the build you're running - for example "v12.1p_2021-10-05/EVAL Development Only" or "SNAPSHOT_v13.0d_2021-09-29/LGPL Development Only"?
Leave a comment:
-
SmartClient 12.1 bundles Apache compress jar(commons-compress-1.20.jar) which is vulnerable.
Hi Team,
We are using SmartClient 12.1 which bundles Apache compress jar(commons-compress-1.20.jar) in it and it is vulnerable to below mentioned cve's.
In which version of smart client, we are remediating it? please let us know, so that we upgrade smart client to the specified version.
CVE-2021-35515 CVE-2021-35516 CVE-2021-35517 CVE-2021-36090
ThanksTags: None
Leave a comment: