[jira] [Commented] (AVRO-2217) Vulnerabilities in avro bundled packages

Mon, 12 Nov 2018 09:20:20 -0800 


    [ 
https://issues.apache.org/jira/browse/AVRO-2217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16684120#comment-16684120
 ] 

ASF GitHub Bot commented on AVRO-2217:
--------------------------------------

nandorKollar commented on issue #373: AVRO-2217 Bump Guava to patch security 
issues
URL: https://github.com/apache/avro/pull/373#issuecomment-437961402
 
 
   @Fokko there's a comment above the change, saying we should use the same as 
Hadoop. Not sure if it is still relevant, but is Hadoop using 14.0.1? In case 
the comment is not relevant any more, then can we also delete it?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Vulnerabilities in avro bundled packages
> ----------------------------------------
>
>                 Key: AVRO-2217
>                 URL: https://issues.apache.org/jira/browse/AVRO-2217
>             Project: Apache Avro
>          Issue Type: Bug
>          Components: java
>    Affects Versions: 1.8.2
>            Reporter: Prasanth Pallamreddy
>            Priority: Critical
>
> The following vulnerabilities exist in the packages bundled by Avro. These 
> packages need to be upgraded to the latest versions. Although a few of these 
> vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt 
> to address the backwards compatibility issue in AVRO-1605 there does not 
> appear to be a resolution. If there is no resolution on these issues, we may 
> be forced to fork based on [this PR|https://github.com/apache/avro/pull/87]. 
>  
> org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these 
> critical / high vulns:
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
> org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high 
> vulnerability:
>   - [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
> org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
>   - [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
>  com.google.guava:guava:11.0.2
>   -[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to