rsamo opened a new issue #3493: Security Vulnerabilities - Black Duck Scan URL: https://github.com/apache/pulsar/issues/3493 ## Issue Black Duck, a product by Synopsys that scans for open source security threats, uncovered a few issues with dependencies in the following libraries from Pulsar version 2.2.0: 1. pulsar-client 2. pulsar-client-admin 3. pulsar-client-kafka 4. pulsar-websocket I browsed the 2.2.1 libraries and did not see any changes so I just wanted to make the community aware for future releases. ## pulsar-client / pulsar-client-admin / pulsar-client-kafka / pulsar-websocket #### Bouncy Castle 1.55 - CVE-2016-1000338 - CVE-2016-1000339 - CVE-2016-1000340 - CVE-2016-1000341 - CVE-2016-1000342 - CVE-2016-1000343 - CVE-2016-1000344 - CVE-2016-1000345 - CVE-2016-1000346 - CVE-2016-1000352 - CVE-2017-13098 - CVE-2018-1000180 - CVE-2018-1000613 #### Guava: Google Core Libraries for Java 21.0 - CVE-2018-10237 ## pulsar-websocket #### Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server 9.3.11.20160721 - CVE-2017-7656 - CVE-2017-7657 - CVE-2017-7658 - CVE-2017-9735 - CVE-2018-12536 #### jQuery UI 1.11.4 - CVE-2016-7103 It looks like upgrading to the latest versions of each of these dependencies might patch things, but I am not certain. Thanks!
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
