[jira] [Commented] (AVRO-2217) Vulnerabilities in avro bundled packages

Mon, 12 Nov 2018 09:26:41 -0800 


    [ 
https://issues.apache.org/jira/browse/AVRO-2217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16684133#comment-16684133
 ] 

ASF GitHub Bot commented on AVRO-2217:
--------------------------------------

dkulp commented on issue #373: AVRO-2217 Bump Guava to patch security issues
URL: https://github.com/apache/avro/pull/373#issuecomment-437963537
 
 
   It really shouldn't matter anymore. Guava is just a test scope dependency 
for avro now so it doesn't have the same level of importance as it used to .   
That said,  it's only used in a couple of tests so updating those tests and 
removing it entirely would be my preference.
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Vulnerabilities in avro bundled packages
> ----------------------------------------
>
>                 Key: AVRO-2217
>                 URL: https://issues.apache.org/jira/browse/AVRO-2217
>             Project: Apache Avro
>          Issue Type: Bug
>          Components: java
>    Affects Versions: 1.8.2
>            Reporter: Prasanth Pallamreddy
>            Priority: Critical
>
> The following vulnerabilities exist in the packages bundled by Avro. These 
> packages need to be upgraded to the latest versions. Although a few of these 
> vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt 
> to address the backwards compatibility issue in AVRO-1605 there does not 
> appear to be a resolution. If there is no resolution on these issues, we may 
> be forced to fork based on [this PR|https://github.com/apache/avro/pull/87]. 
>  
> org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these 
> critical / high vulns:
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
> org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high 
> vulnerability:
>   - [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
> org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
>   - [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
>  com.google.guava:guava:11.0.2
>   -[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to