[jira] [Commented] (AVRO-2217) Vulnerabilities in avro bundled packages

Mon, 12 Nov 2018 08:14:15 -0800 


    [ 
https://issues.apache.org/jira/browse/AVRO-2217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16684012#comment-16684012
 ] 

ASF GitHub Bot commented on AVRO-2217:
--------------------------------------

Fokko opened a new pull request #373: AVRO-2217 Bump Guava to patch security 
issues
URL: https://github.com/apache/avro/pull/373
 
 
   Commons and Jackson are already upgraded.
   
   https://issues.apache.org/jira/projects/AVRO/issues/AVRO-2217

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Vulnerabilities in avro bundled packages
> ----------------------------------------
>
>                 Key: AVRO-2217
>                 URL: https://issues.apache.org/jira/browse/AVRO-2217
>             Project: Apache Avro
>          Issue Type: Bug
>          Components: java
>    Affects Versions: 1.8.2
>            Reporter: Prasanth Pallamreddy
>            Priority: Critical
>
> The following vulnerabilities exist in the packages bundled by Avro. These 
> packages need to be upgraded to the latest versions. Although a few of these 
> vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt 
> to address the backwards compatibility issue in AVRO-1605 there does not 
> appear to be a resolution. If there is no resolution on these issues, we may 
> be forced to fork based on [this PR|https://github.com/apache/avro/pull/87]. 
>  
> org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these 
> critical / high vulns:
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
> org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high 
> vulnerability:
>   - [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
> org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
>   - [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
>  com.google.guava:guava:11.0.2
>   -[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to