Release `quickfixj` 2.3.2 to resolve `mina` vulnerability

[cirras]

Is your feature request related to a problem? Please describe.

quickfixj-core has vulnerable dependency mina-core with the following CVEs:

• CVE-2021-41973
• CVE-2024-52046

Describe the solution you'd like

Since mina-core was upgraded in #917, releasing v2.3.2 would resolve this.

Describe alternatives you've considered

Evict/exclude the transitive mina-core dependency and provide a newer version myself.

Additional context

N/A

[chrjohn]

The recent advisory mentions especially the usage of ObjectSerializationCodecFactory but QFJ does not use this but rather the DemuxingProtocolCodecFactory via FIXProtocolCodecFactory so QFJ is not affected by this. We only parse character strings and are not trying to deserialize objects.

[STEELBADGE]

This library may be used in enterprises environments where strict dependency scanning requires an upgrade to a newer version even if that specific vulnerability is not on the hot path.

Is there a technical reason we can’t upgrade?

It doesn’t sound like an unreasonable ask to me.

[chrjohn]

I understand, the comment was only meant as an information.

Is not an unreasonable ask, just limited by personal time. ;) Please also see #774 (comment)

[STEELBADGE]

Thank you for the background.

Is it at all possible to create a patched version that people could use at their own risk?

[chrisharrison]

The latest version of this package is quite old, and the codebase seems to have moved on since the last release. Upgrading to the latest version of mina-core (2.2.x) will cause this package to break.

A workaround while waiting for a release of this package is to upgrade mina-core to 2.1.10 which is not reported as vulnerable and is compatible with this pacakge.

[STEELBADGE]

If we patch QFJ 2.3.1 to update mina-core to 2.1.10 would that be acceptable?

[chrjohn]

That would work. Working on the 2.3.2 release now, should be out in the coming days.

[STEELBADGE]

The financial markets thank you for your service!

[chrjohn]

Well, you're welcome. ;)

[chrjohn]

Release is available on Sonatype Central now, release notes will follow.