HelenParr opened a new issue, #753: URL: https://github.com/apache/servicecomb-pack/issues/753
Hi, @coolbeevip , @WillemJiang , I'd like to report a vulnerability issue in **org.apache.servicecomb.pack:alpha-server:0.6.0**. ### Issue Description **org.apache.servicecomb.pack:alpha-server:0.6.0** directly or transitively depends on ***55*** C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that some C libraries are vulnerable, containing the following CVEs: `libzstd-jni.so` from C project **zstd(version:1.3.7)** exposed ***2*** vulnerabilities: [CVE-2021-24031](https://nvd.nist.gov/vuln/detail/CVE-2021-24031), [CVE-2019-11922](https://nvd.nist.gov/vuln/detail/CVE-2019-11922) `liblz4-java.so` from C project **lz4(version:1.8.3)** exposed ***2*** vulnerabilities: [CVE-2021-3520](https://nvd.nist.gov/vuln/detail/CVE-2021-3520), [CVE-2019-17543](https://nvd.nist.gov/vuln/detail/CVE-2019-17543) ### Suggested Vulnerability Patch Versions ***zstd*** has fixed the vulnerabilities in versions ***>=1.4.9*** ***lz4*** has fixed the vulnerabilities in versions ***>=1.9.2*** Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions? Thanks for your help~ Best regards, Helen Parr -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
