We’re stuck on an EOL library, UserAgentUtils, for parsing the UA strings. I believe used it to develop a workaround for a Javascript issue in IE, so it may be something we can just move on from, but it’s also in the API in the UserAgentContext.
There’s an open CVE against this library, but like most CVEs, it’s worse than useless and is likely not even accurate, so the bigger issue is just future state.
If it’s not urgent, we’ll deprecate the APIs in V4 and remove them in V5. If it turns out to be worse, we’ll take more aggressive steps before we finalize 4.3 this week.
Environment
None
Activity
Scott CantorJanuary 23, 2023 at 6:46 PM
Removed managed dep from parent POM.
Scott CantorJanuary 23, 2023 at 6:38 PM
I removed the IE-specific content type cases from the logout views and that allows the removal of all the rich methods on the UserAgentContext, so the library is removed from the POM.
If we go in another direction for this in the future, I would probably keep it away from the API.
Scott CantorJanuary 11, 2023 at 7:41 PM
My best guess is that this CVE isn’t even about this library, nothing really fits.
The library is really doing nothing but crazy string parsing, so I see little concern here other than to make sure we move off it for the next major.
Scott CantorJanuary 11, 2023 at 3:55 PM
The usage I can find so far is apparently a MIME type hack for IE dealing with logout in a couple of the flow definitions.
We’re stuck on an EOL library, UserAgentUtils, for parsing the UA strings. I believe used it to develop a workaround for a Javascript issue in IE, so it may be something we can just move on from, but it’s also in the API in the UserAgentContext.
There’s an open CVE against this library, but like most CVEs, it’s worse than useless and is likely not even accurate, so the bigger issue is just future state.
If it’s not urgent, we’ll deprecate the APIs in V4 and remove them in V5. If it turns out to be worse, we’ll take more aggressive steps before we finalize 4.3 this week.