Won't Fix
Details
Assignee
UnassignedUnassignedReporter
Zac SpitzerZac SpitzerPriority
NewNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Details
Details
Assignee
Unassigned
UnassignedReporter
Zac Spitzer
Zac SpitzerPriority
NewNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Created 26 June 2024 at 08:15
Updated 26 June 2024 at 16:18
Resolved 26 June 2024 at 16:18
PSA: Only supported versions of Lucee are 5.4 and 6+
5.2 has multiple CVEs and uses very old java libraries with their own additional CVEs
https://github.com/lucee/Lucee/blob/6.1/SECURITY.md
they also only download over http, which is another redirect from http to https to the extension cdn
WORKAROUND: copy extensions manually to /deploy folder
Due to security reasons, we will no longer be supporting insecure update providers (i.e https only, no http support)
You can also create a reverse proxy to serve content from https://update.lucee.org/ and https://extension.lucee.org/ via http and then edit your
lucee-server.xmlto use that custom update provider host insteadAnyone running these old versions in production are advised to upgrade immediately, 5.4 is our LTS release, supported until 2026
https://github.com/lucee/Lucee/actions/runs/9676869912/job/26697364188#step:6:15 These are just some of the problematic libraries in core 5.2, not including extensions (or lucee rebundled jars)
+-------------------------------------+------+-----------+-----------------------------------------+---------+----------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------------------------+------+-----------+-----------------------------------------+---------+----------------+ | https://osv.dev/GHSA-cgp8-4m63-fhh5 | 6.5 | Maven | commons-net:commons-net | 3.3 | core/pom.xml | | https://osv.dev/GHSA-2qrg-x229-3v8q | 9.8 | Maven | log4j:log4j | 1.2.17 | core/pom.xml | | https://osv.dev/GHSA-65fg-84f6-3jq3 | 9.8 | Maven | log4j:log4j | 1.2.17 | core/pom.xml | | https://osv.dev/GHSA-f7vh-qwp3-x37m | 9.8 | Maven | log4j:log4j | 1.2.17 | core/pom.xml | | https://osv.dev/GHSA-fp5r-v3w9-4333 | 7.5 | Maven | log4j:log4j | 1.2.17 | core/pom.xml | | https://osv.dev/GHSA-w9p3-5cr8-m3jj | 8.8 | Maven | log4j:log4j | 1.2.17 | core/pom.xml | | https://osv.dev/GHSA-4p6w-m9wc-c9c9 | 6.3 | Maven | org.apache.ant:ant | 1.9.5 | core/pom.xml | | https://osv.dev/GHSA-5v34-g2px-j4fw | 5.5 | Maven | org.apache.ant:ant | 1.9.5 | core/pom.xml | | https://osv.dev/GHSA-q5r4-cfpx-h6fh | 5.5 | Maven | org.apache.ant:ant | 1.9.5 | core/pom.xml | | https://osv.dev/GHSA-6hgm-866r-3cjv | | Maven | org.apache.commons:commons-collections4 | 4.0 | core/pom.xml | | https://osv.dev/GHSA-fjq5-5j5f-mvxh | 9.8 | Maven | org.apache.commons:commons-collections4 | 4.0 | core/pom.xml | | https://osv.dev/GHSA-4xr4-4c65-hj7f | 7.8 | Maven | org.apache.tika:tika-core | 1.10 | core/pom.xml | | https://osv.dev/GHSA-5mf7-26mw-3rqr | 5.5 | Maven | org.apache.tika:tika-core | 1.10 | core/pom.xml | | https://osv.dev/GHSA-6jq2-789q-fff2 | 7.5 | Maven | org.apache.tika:tika-core | 1.10 | core/pom.xml | | https://osv.dev/GHSA-9r24-gp44-h3pm | 8.1 | Maven | org.apache.tika:tika-core | 1.10 | core/pom.xml | | https://osv.dev/GHSA-h8q5-g2cj-qr5h | 7.5 | Maven | org.apache.tika:tika-core | 1.10 | core/pom.xml | | https://osv.dev/GHSA-j53j-gmr9-h8g3 | 5.5 | Maven | org.apache.tika:tika-core | 1.10 | core/pom.xml | | https://osv.dev/GHSA-j8g6-2wh7-6439 | 9.8 | Maven | org.apache.tika:tika-core | 1.10 | core/pom.xml | | https://osv.dev/GHSA-mfwh-gqx8-c787 | 8.8 | Maven | org.apache.tika:tika-core | 1.10 | core/pom.xml | | https://osv.dev/GHSA-mm7m-xg4h-6m52 | 7.8 | Maven | org.apache.tika:tika-core | 1.10 | core/pom.xml | | https://osv.dev/GHSA-w6g3-v46q-5p28 | 5.9 | Maven | org.apache.tika:tika-core | 1.10 | core/pom.xml l | +-------------------------------------+------+-----------+-----------------------------------------+---------+----------------+