On Wed, 2019-05-15 at 19:38 +0000, Homer, Tony wrote: > Thanks to Fred Bricon who suggested that I contact this list: > >>Usually, guava versions need to be aligned across all Eclipse projects, so > >>you might want to raise the issue in the cross-projects ML > My team builds an Eclipse product which includes m2e. > Our company policy requires us to scan for CVEs and we found several > affecting m2e, including CVE-2018-10237, which m2e is exposed to via > dependence on a vulnerable version of guava. > m2e is currently using 21.0.0 which is the latest which is currently > available in Orbit. > The CVE is fixed starting with guava 24.1.1. > The latest guava release is 27.1. > > In order to work around this issue, my team forked m2e locally and updated > our fork to use guava 27.0.1 (as mentioned in Bug 547338). > I’d like to add guava 27.0.1 or 27.1 (pending compatibility investigation) to > orbit so that eclipse projects can switch to a guava that is not vulnerable > to any published CVEs. > I plan to open a change request with Orbit for this. > What else is needed to move this forward in time for 2019-06?
The Eclipse project expecting to consume the newer Guava, m2e, needs to file a CQ for this, and it should get marked as mature IP since Guava 21.0 is already shipping in Orbit. From there we could file a bug and get it into Orbit, and remove the older one(s) from active builds. Cheers, -- Roland Grunberg _______________________________________________ cross-project-issues-dev mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
