Any provision in Grails for getting security patches and updates ?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Any provision in Grails for getting security patches and updates ?

Tusar Das
Hello everyone, good morning !

I am a Grails application developer since 2012. I have used both grails  2.2.x and later upgraded to 3.3.x for some application. I have a query, whether Grails community provides news on security patches released and how to apply them in application. I am not sure whether this is the appropriate forum to ask this question. If not kindly redirect me to the right forum. Appreciate your help.

Sincerely,
Tusar

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/1b3c68d4-3b50-483d-b0f5-5c3fab640eed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Any provision in Grails for getting security patches and updates ?

Sergio del Amo Caballero
Probably the Grails Community slack is a better place: https://grails-slack.cfapps.io

Sergio 

On Tuesday, 4 June 2019 07:57:27 UTC+2, Tusar Das wrote:
Hello everyone, good morning !

I am a Grails application developer since 2012. I have used both grails  2.2.x and later upgraded to 3.3.x for some application. I have a query, whether Grails community provides news on security patches released and how to apply them in application. I am not sure whether this is the appropriate forum to ask this question. If not kindly redirect me to the right forum. Appreciate your help.

Sincerely,
Tusar

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/8306c4d9-8dcf-49e6-b6c2-30a067fcc8fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Any provision in Grails for getting security patches and updates ?

Jeff Scott Brown-4
In reply to this post by Tusar Das
On 4 Jun 2019, at 0:57, Tusar Das wrote:

> Hello everyone, good morning !
>
> I am a Grails application developer since 2012. I have used both
> grails
> 2.2.x and later upgraded to 3.3.x for some application. I have a
> query,
> whether Grails community provides news on security patches released
> and how
> to apply them in application. I am not sure whether this is the
> appropriate
> forum to ask this question. If not kindly redirect me to the right
> forum.
> Appreciate your help.
>
> Sincerely,
> Tusar
>

We don’t provide instructions on how to apply patches because we
don’t really release patches.  We just ship a new version of the
framework.

In the 11+ years of Grails there haven’t been many security related
issues we had to address in the core framework with a release.  The
first one I remember was related to data binding and was kind of
arguable if it was really a security vulnerability or if the framework
just made it too easy for developers to do the wrong thing but we
addressed the issue and I wrote about it at
https://spring.io/blog/2012/03/28/secure-data-binding-with-grails/.  
Very recently there was a potential issue that turned out to not have
actually been an issue and information about that is at
https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability.

If you have any specific questions about a security related concern,
please reach out and let us know.

Thanks!



JSB
--
Jeff Scott Brown
Partner and Practice Lead, Grails and Micronaut

Disruptive solutions for a connected world.™
http://objectcomputing.com

Autism Strikes 1 in 166
Find The Cause ~ Find The Cure
http://www.autismspeaks.org/

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/36AFA8E4-FEBA-4833-B599-CEE2D593440F%40objectcomputing.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Any provision in Grails for getting security patches and updates ?

Bill Baran
Just currious, do you not consider security issues in dependencies such as the Spring remote execution flaw?
It showed up in the security scanning of some of our grails apps.
https://www.waratek.com/remote-code-execution-flaw-spring-framework/

-WKBaran

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/2f26a34e-f5da-4aa0-912f-7c15f08cc38f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Any provision in Grails for getting security patches and updates ?

Jeff Scott Brown-4
On 6 Jun 2019, at 0:30, Bill Baran wrote:

> Just currious, do you not consider security issues in dependencies
> such as
> the Spring remote execution flaw?
> It showed up in the security scanning of some of our grails apps.
> https://www.waratek.com/remote-code-execution-flaw-spring-framework/
>

It depends on the particulars.  For that one in particular, the versions
of Spring used in the latest Grails 3.2 and 3.3 releases already include
the relevant mitigation.  Also, be aware that you can express what
version of Spring you want to use in a Grails 3 app by modifying your
build (build.gradle and friends).




JSB
--
Jeff Scott Brown
Partner and Practice Lead, Grails and Micronaut

Disruptive solutions for a connected world.™
http://objectcomputing.com

Autism Strikes 1 in 166
Find The Cause ~ Find The Cure
http://www.autismspeaks.org/

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/DFC39D97-84D8-4209-B851-E1B2B233880F%40objectcomputing.com.
For more options, visit https://groups.google.com/d/optout.