This is an automated email from the ASF dual-hosted git repository.
gian pushed a commit to branch 0.22.1
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/0.22.1 by this push:
new 880757c suppress hive-storage-api thrift security vulnerability
(#11753)
880757c is described below
commit 880757c973f75ec4f19b6a81ce504323983f2e2f
Author: Clint Wylie <[email protected]>
AuthorDate: Tue Sep 28 23:54:13 2021 -0700
suppress hive-storage-api thrift security vulnerability (#11753)
---
owasp-dependency-check-suppressions.xml | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index 511b893..b7da4e5 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -334,13 +334,6 @@
]]></notes>
<cve>CVE-2021-26291</cve>
</suppress>
- <suppress until="2021-05-30">
- <!-- Suppress this until https://github.com/apache/druid/issues/11028 is
resolved. -->
- <notes><![CDATA[
- This vulnerability should be fixed soon and the suppression should be
removed.
- ]]></notes>
- <cve>CVE-2020-13949</cve>
- </suppress>
<suppress>
<!-- (avro, parquet, integration-tests) we don't allow velocity templates
to be uploaded by untrusted users -->
@@ -393,6 +386,14 @@
<cve>CVE-2020-13949</cve>
</suppress>
<suppress>
+ <!-- hive-storage-api has the thrift vulnerability too -->
+ <notes><![CDATA[
+ file name: hive-storage-api-2.8.1.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.hive/[email protected]$</packageUrl>
+ <cve>CVE-2020-13949</cve>
+ </suppress>
+ <suppress>
<!--
the scanner misattributes this to Apache DataSketches
the actual vulnerability affects some collaboration tool called Sketch,
and impacts some 'library feeds' feature
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
