[
https://issues.apache.org/jira/browse/AVRO-2217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Prasanth Pallamreddy updated AVRO-2217:
---------------------------------------
Description:
The following vulnerabilities exist in the packages bundled by Avro. These
packages need to be upgraded to the latest versions. Although a few of these
vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt
to address the backwards compatibility issue in AVRO-1605 there does not appear
to be a resolution. If there is no resolution on these issues, we may be forced
to fork based on [this PR|https://github.com/apache/avro/pull/87].
org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these
critical / high vulns:
[https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
[https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
[https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
[https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
[https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high vulnerability:
- [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
- [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
com.google.guava:guava:11.0.2
-[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
was:
The following vulnerabilities exist in the packages bundled by Avro. These
packages need to be upgraded to the latest versions. Although a few of these
vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt
to address the backwards compatibility issue in AVRO-1605 there does not appear
to be a resolution. If there is no resolution on these issues, we may be forced
to fork based on [this PR|https://github.com/apache/avro/pull/87].
org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these
critical / high vulns:
[https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
[https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
[https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
[https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
[https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high vulnerability:
- [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
- [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
> Vulnerabilities in avro bundled packages
> ----------------------------------------
>
> Key: AVRO-2217
> URL: https://issues.apache.org/jira/browse/AVRO-2217
> Project: Avro
> Issue Type: Bug
> Components: java
> Affects Versions: 1.8.2
> Reporter: Prasanth Pallamreddy
> Priority: Critical
>
> The following vulnerabilities exist in the packages bundled by Avro. These
> packages need to be upgraded to the latest versions. Although a few of these
> vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt
> to address the backwards compatibility issue in AVRO-1605 there does not
> appear to be a resolution. If there is no resolution on these issues, we may
> be forced to fork based on [this PR|https://github.com/apache/avro/pull/87].
>
> org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these
> critical / high vulns:
> [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
> [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
> [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
> [https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
> [https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
> org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high
> vulnerability:
> - [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
> org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
> - [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
> com.google.guava:guava:11.0.2
> -[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
