red5-client icon indicating copy to clipboard operation
red5-client copied to clipboard

Published 20 hours ago verified publisher icon Red5

Red5-client is dependent on vulnerable version of mina-core

Open rawler opened this issue 3 years ago • 3 comments

Details can be seen on https://mvnrepository.com/artifact/org.red5/red5-client/1.2.12

Tried to patch it up myself, but failed to understand what controls ${mina.version} in pom.xml.

rawler avatar Feb 11 '22 13:02 rawler

@rawler the versions will normally be found in the properties section of the current pom or in the parent pom (see red5-parent). Also the CVE linked does not affect Red5 since we do not use Mina for HTTP requests; the only way it could possibly be exploited is with a specially crafted RTMPT client, if one was so inclined.

mondain avatar Feb 11 '22 14:02 mondain

Good point R.E. not applicable to red5-client. Any good reason to not bump dependency to fixed version? (2.1.5)

rawler avatar Feb 11 '22 15:02 rawler

If there was a road map, I'd say that's on there, but in actuality I haven't taken it on yet.

mondain avatar Feb 11 '22 17:02 mondain